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Abstract 



Quantum key distribution (QKD) has attracted great attention as an un- 
conditionally secure key distribution scheme. The fundamental feature of 
QKD protocols is that the amount of information gained by an eavesdrop- 
per, usually referred to as Eve, can be estimated from the channel between 

the legitimate sender and the receiver, usually referred to as Alice and Bob 
respectively. Such a task cannot be conducted in classical key distribution 
schemes. If the estimated amount is lower than a threshold, then Alice and 
Bob determine the length of a secret key from the estimated amount of Eve's 
information, and can share a secret key by performing the postprocessing. 
One of the most important criteria for the efficiency of the QKD protocols 
is the key generation rate, which is the length of securely sharable key per 
channel use. 

In this thesis, we investigate the channel estimation procedure and the 
postprocessing procedure of the QKD protocols in order to improve the 
key generation rates of the QKD protocols. Conventionally in the channel 
estimation procedure, we only use the statistics of matched measurement 
outcomes, which are bit sequences transmitted and received by the same ba- 
sis, to estimate the channel; mismatched measurement outcomes, which are 
bit sequences transmitted and received by different bases, are discarded in 
the conventional estimation procedure. In this thesis, we propose a channel 
estimation procedure in which we use the mismatched measurement out- 
comes in addition to the matched measurement outcomes. Then, we clarify 
that the key generation rates of the QKD protocols with our channel estima- 
tion procedure is higher than that with the conventional channel estimation 
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procedure. 

In the conventional postprocessing procedure, which is known as the 
advantage distillation, we transmit a message over the pubhc channel re- 
dundantly, which is unnecessary divulging of information to Eve. In this 
thesis, we propose a postprocessing in which the above mentioned divulging 
of information is reduced by using the distributed data compression. We 
clarify that the key generation rate of the QKD protocol with our proposed 
postprocessing is higher than that with the conventionally known postpro- 
cessings. 
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Chapter 1 

Introduction 



1.1 B ackground 

Key distribution is one of the most important and challenging problem in 
cryptology. When a sender wants to transmit a confidential message to a 
receiver, the sender usually encipher the message by using a secret key that 
is only available to the sender and the receiver. For a long time, many 
methods have been proposed to solve the key distribution problem. One 
of the most broadly used method in the present day is a method whose 
security is based on difficulties to solve some mathematical problems, such 
as factorization into prime numbers. Such kind of method is believed to 
be practically secure, but it has not been proved to be unconditionally 
secure; there might exist some clever algorithm to solve those mathematical 
problems efficiently. On the other hand, quantum key distribution (QKD), 
which is the main theme of this thesis, has attracted the attention of many 
researchers, for the reason that its security is based on principles of the 
quantum mechanics. In other word, the QKD is secure as long as the 
quantum mechanics is correct. 

The concept of the quantum cryptography was proposed by Wiesner in 
1970s. Unfortunately, his paper was rejected by a journal, and was not pub- 
hshed until 1983 |Wie83|^ . In 1980s, the quantum cryptography was revived 

^For more detailed history on the quantum cryptography, see Brassard's review article 
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by Bennett et al. in a series of papers |BBBW82l IBB831 IBB84b[ IBB84a] . 
Especially, the quantum key distribution first appeared in Bennett and 
Brassard's one page proceedings paper |BB83] presented at a conference, 
although it is more commonly known as BB84 from its 1984 full publication 
|BB84a) . 

At first, the security of the BB84 protocol was guaranteed only in the 
ideal situation such that the channel between the sender and receiver is 
noiseless. Later, Bennett et al. proposed modified protocols to handle the 
case in which the channel between the sender and the receiver is not neces- 
sarily noiseless |BB89llBBB+92| . During the course of their struggle against 
the problem, many important concepts such as the information reconcilia- 
tion and the privacy amplification, which are explained in detail later, were 
proposed [BBR851 IBBR88| . Finally , Mayers proposed his version of the 
BB84 protocol, and showed its unconditional security |May01| (preliminary 
versions of his proof were published in |May95 May96| ) . Biham et al. also 



proposed their version of the BB84 protocol and showed its unconditional 
security [BBB+OOi IbBB+06] . 



In 2000, Shor an Preskill made a remarkable observation on Mayer's 
security proof of the BB84 protocol |SP00j . They observed that the entan- 
glement distillation protocol (EDP) |BBP+96[ ILC99| with the CSS code, 
one of the quantum error correcting codes proposed by Calderbank, Shor, 
and Stean |CS961 [Ste96j . is implicitly used in Mayer's version of the BB84 
protocol, and presented a simple proof of Mayer's version of the BB84 pro- 
tocol. Their proof technique based on the CSS code is further extended 
to some directions. For example, Lo jLoOlj proved the security of another 
QKD protocol, the six state protocol proposed by BruB |Bru98j . by using 
the technique based on the CSS code. 

Recently, Renner et al. [RGKOSt IRenOSl IKGROSj developed information 
theoretical techniques to prove the security of the QKD protocols includ- 
ing the BB84 protocol and the six-state protocol^. Their proof method 



[Bra05) . 

^Throughout this thesis, we only treat the BB84 protocol and the six-state protocol, 
and we mean these two protocols by the QKD protocols. 
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provides important insight into the security proof of the QKD protocols. 
More precisely, they proved the security of the QKD protocols by extending 
the key agreement in the information theory [Mau93t IAC93| , which will be 
explained in the next section, to the context of the QKD protocols. 

In this thesis, we employ Renner et aVs approach for the security proof 
of the QKD protocols instead of Shor and Preskill's approach. Then, we 
investigate two important phases, the channel estimation and the postpro- 
cessing, of the QKD protocols. 

The QKD protocol roughly consists of three phases: the bit transmission 
phase, the channel estimation phase, and the postprocessing phase. In the 
bit transmission phase, the legitimate sender, usually referred to as Alice 
sends a bit sequence to the legitimate receiver, usually referred to as Bob, 
by encoding them into quantum carrier (eg. polarizations of photons). The 
channel estimation phase will be explained in Section II. 3i In the postpro- 
cessing phase, Alice and Bob share a secret key based on their bit sequences 
obtained in the bit transmission phase. The postprocessing phase can be es- 
sentially regarded as the key agreement problem in the information theory, 
which will be explained in the next section. 



1.2 Key Agreement in Information Theory 

Following Shannon's mathematical formulation of the cryptography |Sha48| 
and the studies on confidential message transmissions over noisy channels 
by Wyner |Wyn75| and Csiszar and Korner |CK79j , the problem of the key 
agreement in the information theory was formulated by Maurer |Mau93j . 
and was also studied by Ahlswede and Csiszar |AC93j . 

In Maurer's formulation Alice and Bob have sequences of independently 
identically distributed (i.i.d.) correlated binarj|§ random variables X = 
(Xi, . . . , Xn) and Y = {Yi, . . . , ¥„) respectively, and the eavesdropper, usu- 
ally referred to as Eve, has a sequence of i.i.d. random variables E = 

Actually, the formulation in [Mau93l IAC93) is not restricted to binary random vari- 
ables. However, we restrict our attention to the binary case because Alice and Bob obtain 
binary sequences in the QKD protocols (refer to Section [T73|l . 
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{El, . . . , En), which are regarded as the information she obtained by eaves- 
dropping X and Y. They conduct a postprocessing^ procedure and share a 
secret key by using the pair of bit sequence (X, Y) as a seed. 

In the postprocessing procedure, Ahce and Bob are allowed to exchange 
messages over the authenticated public channel, that is. Eve can know every 
message transmitted over this channel but she cannot tamper or forge a 
message. Actually, the authenticated public channel can be realized if Alice 



and Bob initially share a short secret key In the rest of this thesis, 

we assume that the public channel is always authenticated though we do 
not mention it explicitly. 

The communication over the public channel in the postprocessing pro- 
cedure may be one-way (from Alice to BobI§) or two-way. The most elemen- 
tary postprocessing procedure is a procedure with one-way public commu- 
nication, and it consists of two procedures, the information reconciliation 
procedure and the privacy amplification procedure. 

The purpose of the information reconciliation procedure for Alice and 
Bob is to agree on a bit sequence from their correlated bit sequences. This 



scheme, Alice sends the compressed version C (say k bit data) of X to 
Bob. Then, Bob reproduce X by using his bit sequence Y and the received 
data C. It is well known that Bob can reproduce Alice's bit sequence with 
negligible error probability if Alice sends appropriate k ~ nH{X\Y) bits 
data. 

The purpose of the privacy amplification procedure for Alice and Bob is 
to distill secret keys from their bit sequences shared in the information rec- 

*The postprocessing is a QKD jargon that means a procedure to distill a secret key 
from Alice and Bob's bit sequences. 

""For this reason, it might be more appropriate to call the procedure the key expansion 
rather than the key agreement. 

''The message transmission can be from Bob to Alice, which case will be treated in 



^Actually, the procedures proposed in [Mau93l IAC93j do not use the Slepian-Wolf 
coding scheme. The Slepian-Wolf coding scheme in the context of the key agreement was 
first used by Muramatsu Mu r06) explicitly, although it was already used in cryptography 
community implicitly (for example in |MWOO| ). 




procedure is nothing but the Slepian-Wolf coding scheme 
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onciliation procedure. More specifically, Alice and Bob distill i bits (usually 
much shorter than n bit) secret key by using appropriate function from n bit 
to a. bit. We require the secret keys to be information theoretically secure, 
i.e., the distilled key is uniformly distributed and statistically independent 
from Eve's available information C and E. 

Since the pair of bit sequences initially shared by Alice and Bob are con- 
sidered as a precious resourc^, we desire the key generation rate ijn to be 
as large as possible. Especially in this paper, we investigate the asymptotic 
behavior of the key generation rate, asymptotic key generation rate, such 
that the secure key agreement is possible. Roughly speakinj§, the secure 
key can be distilled if the key generation rate is smaller than Eve's ambi- 
guity (per bit) about the bit sequence after the information reconciliation, 
that is, 

- ^ H{X\E) - H{X\Y). (1.1) 

n 

In [Mau93j . Maurer also proposed a postprocessing procedure with two- 
way public communication. More specifically, he proposed a preprocessing 
called advantage distillation that is conducted before the information rec- 
onciliation procedure. In the advantage distillation, Alice divides her bit 
sequence into blocks of length 2, and sends the parity X2i-i © X2i of each 
block to Bob. Bob also divides his bit sequence into blocks of length 2, and 
tells Alice whether the received parity of the ith block coincides with Bob's 
corresponding parity 1^21- 1 © ^2i- If their corresponding parities coincide, 

^Actually, Alice and Bob's initial bit sequences are shared by transmitting photons in 
the QKD protocols, and the transmission rate of the photon is usually very slow compared 
to the transmission rate of the public channel. 

^If Alice conducts a preprocessing before the information reconciliation procedure, 
then the condition in Eq. can be slightly generalized as 

- ~ H(U\EV) - H(U\YV), 
n 

where U and V are auxiliary random variables such that V, U, X, and {Y,E) form a 
Markov chain in this order. Although the meaning of the auxiliary random variables have 
been unclear for a long time, recently Renner et al. clarified the meaning of U as the noisy 
preprocessing in the context of QKD protocol [RGK05) (see also Remark 13. 4. 6p . 
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they keep the second bits of those blocks, which are regarded to have strong 
correlation. Otherwise, they discard those blocks, which are regarded to 
have weak correlation. Maurer showed that the key generation rate of the 
postprocessing with the advantage distillation can be strictly higher than 
the right hand side of Eq. (jl.ip in an example. 



In the context of the QKD protocol, the postprocessing procedure with 
both one-way and two-way public communication were considered. Actu- 
ally, the postprocessing procedure with one-way public communication were 
first studied [MayOl ISPOOj . Later, the postprocessing with the advantage 
distillation in the context of QKD protocol was proposed by Gottesman 
and Lo |GL03] . The postprocessing with the advantage distillation was 
extensively studied by Bae and Acm |BA07| . 



In Chapter HI we propose a new kind of postprocessing procedure with 
two-way public communication in the context of QKD protocol. The pur- 
pose of the advantage distillation was to divide the blocks into highly corre- 
lated ones and weakly correlated ones by exchanging the parities. The key 
idea of our proposed postprocessing is that the parities in the conventional 
advantage distillation is redundantly transmitted over the public channel, 
and should be compressed by the Slepian-Wolf coding because Bob's bits 
(124-1; ^2i) is correlated to Alice's parity X2i-i © X2i. In our proposed 
postprocessing, Alice does not sends the parities itself, but she sends the 
compressed version of the parities by regarding Bob's sequence Y as the 
side-information at the decoder. This enables Alice and Bob to extract a 
secret key also from the parity sequence, and improves the key generation 
rate. Actually, the key generation rate of the QKD protocols with our pro- 
posed postprocessing procedure is as high as that with conventional one-way 
or two-way postprocessing procedures. We also clarify that the former is 
strictly higher than the latter in some cases. 



1.3. Unique Property of Quantum Key Distribution 
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1.3 Unique Property of Quantum Key Distribu- 
tion 

In the previous section, we have explained the mathematical formulation 
of the key agreement in the information theory. Then, we have explained 
the fact that Alice and Bob have to set the key generation rate according 
Eve's ambiguity about the bit sequence after the information reconciliation 
procedure (Eq. (frT|) i^ in order to share an information theoretically se- 
cure key. However, Alice and Bob cannot calculate the amount of Eve's 
ambiguity about the bit sequence if they do not know the probability distri- 
bution PxYE of their initial bit sequence and Eve's available information. 
Therefore, they have to estimate the probability distribution itself, or at 
least they have to estimate a lower bound on the quantity H{X\E^. If 
Alice and Bob's bit sequences (X,Y) are distributed by using a classical 
channel, for example the standard telephone line or the Internet, then a 
valid estimate will be the trivial one, 0, because Eve can eavesdrop as much 
as she want without being detected. The QKD protocols provide a way to 
estimate a non-trivial lower bound on H{X\E) by using the axioms of the 
quantum mechanics. 

In the BB84 protocol, Alice randomly chooses a bit sequence and send 
it by encoding each bit into a polarization of a photon. When she encodes 
each bit into a polarization of a photon, she chooses one of two encoding 
rules at random. In the first encoding rule, she encodes into the vertical 
polarization, and 1 into the horizontal polarization. In the second encoding 
rule, she encodes into the 45 degree polarization, and 1 into the 135 degree 
polarization. 

On the other hand. Bob measures the received photons by using one 
of two measurement device at random. The first measurement device dis- 

^"When Alice and Bob conduct the postprocessing with two-way pubhc communication, 
they have to set the key generation rate according to more complicated formula (for more 
detail, see Chapter |4|. 

^^Since the quantity H{X\Y) only involves the marginal distribution Pxy, Alice and 
Bob can easily estimate it by sacrificing a part of their bit sequence as samples. Therefore, 
we restrict our attention to the quantity H{X\E). 
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criminate between the vertical and the horizontal polarizations, and the 
measurement outcome is decoded into the corresponding bit value. The 
second measurement device discriminate between the 45 degree and the 135 
degree polarizations, and the measurement outcome is decoded into the 
corresponding bit value. 

After the reception of the photons, Alice and Bob announce over the 
public channel which encoding rule and which measurement device they 
have used for each bit. Then, they keep those bits if their encoding rule and 
measurement device are compatible, i.e., Alice uses the first (the second) 
encoding rule and Bob uses the first (the second) measurement device. We 
call such bit sequences the matched measurement outcomes. On the other 
hand, they discard those bits if their encoding rule and measurement de- 
vice are incompatible, i.e., Alice uses the first (the second) encoding rule 
and Bob uses the second (the first) measurement device. We call such bit 
sequences the mismatched measurement outcomes. Furthermore, Alice and 
Bob announce a part of their matched measurement outcomes to estimate 
candidates of the quantum channel over which the photons were transmit- 
ted. The rest of the matched measurement outcomes are used as a seed for 
sharing a secret key. 

The most important feature of the QKD protocols is that we can calcu- 
late the quantity i7(X|Ejllby using the axioms of the quantum mechanics if 
they know the quantum channel exactly. Therefore, we can estimate a lower 
bound on H(X\E) via estimating the candidates of the quantum channel. 
Actually, we employ the quantity H{X\E) minimized over the estimated 
candidates of the quantum channel as an estimate of true H{X\E). 

As we explained above, in the conventional BB84 protocol we discard 
the mismatched measurement outcomes and we estimate the candidates of 
the quantum channel by using only the samples from the matched mea- 
surement outcomes. In Chapter [3l we propose a channel estimation proce- 
dure in which we use the mismatched measurement outcomes in addition 



^ It should be noted that we have to use the conditional von Neumann entropy instead 
of the conditional Shannon entropy in the case of the QKD protocols (for more detail, see 
Chapter El. 
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to the samples from the matched measurement outcomes. The use of the 
mismatched measurement outcomes enables us to reduce candidates of the 
quantum channel, and then enables us to estimate tighter lower bounds on 
the quantity H{X\E). Actually, we clarify that the key generation rate 
decided according to our proposed channel estimation procedure is at least 
as high as the key generation rate decided according to the conventional 
channel estimation procedure. We also clarify that the former is strictly 
higher than the latter in some cases. In Chapter HI we also apply our 
proposed channel estimation procedure to the protocol with the two-way 
postprocessing proposed in Chapter HI 

It should be noted that the use of the mismatched measurement out- 
comes was already considered in literatures. In early 90s, Barnett et al. |BHP93) 
showed that the use of mismatched measurement outcomes enables Alice 
and Bob to detect the presence of Eve with higher probability for the so- 
called intercept and resend attack. Furthermore, some literatures use the 
mismatched measurement outcomes to ensure the quantum channel to be a 
Pauh channel [BCE+03[ ITkE+OSI [KLQ+051 IKLKE05| . where a Pauh chan- 
nel is a channel over which four kinds of Pauli errors (including the identity) 
occur probabilistically. However the quantum channel is not necessarily a 
Pauli channel in general. One of the aims of this thesis is to convince the 
readers that the non-Pauli channels deserve consideration in the research of 
the QKD protocols as well as the Pauli channel. 

1.4 Summary 

The QKD protocols consists of three phases: the bit transmission phase, 
the channel estimation phase, and the postprocessing phase. The role of 
the channel estimation phase is to estimate the amount of Eve's ambiguity 
about the bit sequence transmitted in the bit transmission phase. According 
to the estimated amount of Eve's ambiguity, we decide the key generation 
rate and conduct the postprocessing to share a secret key. 

In the conventional estimation procedure, we do not use the mismatched 
measurement outcomes. By using the mismatched measurement outcomes 
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in addition to the samples from the matched measurement outcomes, we 
can improve the key generation rate of the QKD protocols. This topic is 
investigated in Chapter [3l 

In the conventional (two-way) postprocessing procedure, we transmit 
a message over the public channel redundantly, which is unnecessary di- 
vulging of information to Eve. By transmitting the compressed version of 
the redundantly transmitted message, we can improve the key generation 
rate of the QKD protocols. This topic is investigated in Chapter HI 



Chapter 2 

Preliminaries 



In this chapter, we introduce some terminologies and notations, and give 
a brief review of the known results that are used throughout this thesis. 
The first section is devoted to a review of the classical information theory 
|CT06j and the quantum information theory [NCOOl |Hay06| . In the second 
section, we review the known results on the privacy amplification, which is 
the most important tool for the security of the QKD protocols. 

2.1 Elements of Classical and Quantum Informa- 
tion Theory 

2.1.1 Probability Distribution and Density Operator 

For a finite set X, let V{X) be the set of all probability distributions P 
on i.e., P{x) > for all x G A" and X^xgA" -^(■^) ~ 1- -^^^ ^ sequence 
X = (xi, . . . , Xn) G X"', the type of x is the empirical probability distribution 
e V{X) defined by 

\{i\xi = a]\ 

-rx(aj := tor a £ X, 

n 

where |^| is the cardinality of a set A. 

For a finite-dimensional Hilbert space TC, let V{7i) be the set of all 
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density operators p on "H, i.e., p is non-negative and normalized, Trp = 1. 
Mathematically, a state of a quantum mechanical system with (i-degree 
of freedom is represented by a density operator on 7i with dimTi = d. 
Throughout the thesis, we occasionally call p a state and 7i a system. For 
Hilbert spaces TLa and TLb, the set of all density operators V{Ti.A ®'Hb) 
on the tensor product space TIa ^'He '^s defined in a similar manner. In 
Section 12.21 occasionally treat non-normalized non-negative operators. 
For this reason, we denote the set of all non-negative operators on a system 
H (and a composite system Ha ^Hb) by V'{H) (and V'{Ha ^'Hb))- 

The classical random variables can be regarded as a special case of the 
quantum states. For a random variable X with a distribution Px G V{X), 
let 

px ■■= ^ Px{x)\x){x\, 

where {|x)}a;gA' is an orthonormal basis of Tlx- We call px the operator 
representation of the classical distribution Px ■ 

When a quantum system J-Ca is prepared in a state p^ according to a 
realization x of a random variable X with a probability distribution Px, it 
is convenient to describe this situation by a density operator 

pxA ■.= J2Pxix)\x){x\^pi£Vinx^nA), (2.1) 

where {Ix)}^.^;^' is an orthonormal basis olTCx- We call the density operator 
PxA a {cg}-state |DW05j . or we say pxA is classical on Tlx with respect 
to the orthonormal basis {|x)}2;g;f. We call p^ a conditional operator. 
When a quantum system Ti.A is prepared in a state p^^ according to a 
joint random variable {X,Y) with a probability distribution Pxy, a state 
PXYA is defined in a similar manner, and the state pxYA is called a {ccq}- 
state. For non-normalized operator pxA £ 'P'i'Hx "SD Wa), if we can write 
pxA as in Eq. (j2.ip . we say that pxA is classical on Tix with respect to 
the orthonormal basis However, it should be noted that the 
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distribution Px or conditional operators p\ are not necessarily normalized 
for a non-normalized pxA- 

For a {cg}-state pxA € V{Hx'S>Ha), we occasionally consider a density 
operator such that the classical system Hx is mapped by a function / : 
X ^ y. By setting the distribution 

Priy) = E ^-^(^) 

xex 

S{x)=y 

and the density operator 

P\= Px{x)pyPy{y), 

f{x)=y 

we can describe the resulting {cq'}-state as 

PYE:=Y.PY{y)\y){y\®p\. (2.2) 

y&y 

In the quantum mechanics, the most general measurement is described 
by the positive operator valued measure (POVM). A POVM for a system H 
consists of the set A of measurement outcomes, and the set M = {Ma}a£A 
of positive operators indexed by the set A. For a state p G V{'H), the 
probability distribution of the measurement outcomes is given by 

P(a) = Tr[pMa]. 

In the quantum mechanics, the most general state evolution of a quan- 
tum mechanical system is described by a completely positive (CP) map. It 
can be shown that any CP map £ can be written as 

£ip) = Y,EapE: (2.3) 

for a family of linear operators {Ea}aeA from the initial system 7i to the 
destination system H', where A is the index set. We usually require the map 
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to be trace preserving (TP), i.e., X]ae»4 ^a^a = idw, but if a state evolution 
involves a selection of states by a measurement, then the corresponding CP 
map is not necessarily trace preserving, i.e., "^aeA ^a^^^ — ^^W- 

2.1.2 Distance and Fidelity 

In this thesis, we use two kinds of distances. One is the variational distance 
of V{X). For non- negative functions P,P' E V{X), the variational distance 
between P and P' is defined by 

||P-P'|| := \P{x)-P'{x)\. 

The other distance used in this paper is the trace distance of V'iTi). For 
non-negative operators p, a G ViTi), the trace distance between p and a is 
defined by 

11/9 — a\\ := Tr|p — a\, 

where \ A\ := V A* A for a operator on 7i, and A* is the adjoint operator of A. 
The following lemma states that the trace distance between (not necessarily 
normalized operators) does not increase by applying a CP map, and it is 
used several times in this paper. 

Lemma 2.1.1 [RenOSl Lemma A. 2.1] Let p,p' e V'iTC) and let £: be a 
trace-non-increasing CP map, i.e., £ satisfies TT£{a) < Tra for any a £ 
T"{n). Then we have 

\\£{p)-£{p')\\<\\p-p% 

The following lemma states that, for a {cg}-state pxB, if two classical 
messages v and v are computed from x and they are equal with high proba- 
bility, then the {ccq} state pxvB and PxvB that involve computed classical 
messages v and v are close with respect to the trace distance. 
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Lemma 2.1.2 Let 

PXB ■■= Pxix)\x){x\^p% 



be a {cg}-state, and let V := f{X) for a function / and V := g{X) for a 
function g. Assume that 

Pr{F/F}= Px{x)<e. 

xex 

Then, for {ccg}-states 

PXVB ■= Y Pxix)\x){x\ ® \f{x)){f{x)\0p% 

and 

PxvB '■= Yl Px{x)\x){x\ \g{x)){g{x)\ p%, 

we have 

Wpxvb - PxvbW - 

Proof. We have 

Wpxvb - PxvbW 

= Y • - \9{x)){g{x)\W ■ IIpIII 

x&X 

= ^i'x(x)-2(l-5;(,),,(,)) 
xex 

< 2£, 

where 6a,b = 1 if a = 6 and da,b = if a / 6. □ 
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The fidehty between two (not necessarily normalized) operators p,cr £ 
V'{n) is defined by 

F{p,a) ■= Tr^ y/po^/p. 

The following lemma is an extension of Uhlmann's theorem to non-normalized 
operators p and a. 

Lemma 2.1.3 |Ren051 Theorem A. 1.2] Let p, cr G and let \'4)) G 

Ti-R (^TC he a purification of p. Then 

F(p,a) = maxF(|V'>(V|,|0>(0|), 
mm 

where the maximum is taken over all purifications \<j)) G TIr of a. 

The trace distance and the fidelity have close relationship. If the trace 
distance between two non-negative operators p and a is close to 0, then the 
fidelity between p and a is close to 1, and vise versa. 

Lemma 2.1.4 [RenOSl Lemma A. 2. 4] Let p,cr G V'{n). Then, we have 

\\p - ct\\ < V(Trp + TYCT)2 -4F(p,(t)2. 
Lemma 2.1.5 [RenOSl Lemma A. 2. 6] Let p,(T G V'{Tl). Then, we have 
Trp + Tva - 2F{p,a) < \\p-a\\. 

2.1.3 Entropy and its Related Quantities 

For a random variable X on X with a probability distribution Px G V{X), 
the entropy of X is defined by 

H{X) = H{Px) ■■=-Yl Px{x)logPx{x), 
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where we assume the base of log is 2 throughout the thesis. Especially for 
a real number < p < 1, the binary entropy function is defined by 

h{p) := -plogp - (1 - p) log(l - p). 

Similarly, for a joint random variables X and Y with a joint probability 
distribution Pxy € V{X x 3^), the joint entropy of X and Y is 

H{XY) = H{Pxy) 

:= - XI PxY{x,y)\ogPxY{x,y). 
{x,y)exxy 

The conditional entropy of X given Y is defined by 

H{X\Y) := H{XY) - H{Y). 

The mutual information between the joint random variables X and Y is 
defined by 

I{X; Y) := H{X) + H{Y) - H{XY). 



For a quantum state p G V{H), the von Neumann entropy of the system 
is defined by 

H{p) := -TipXogp. 

For a quantum state pab £ ViJ-LA ® Hb) of the composite system, the von 
Neumann entropy of the composite system is H{pab)- The conditional von 
Neaumann entropy of the system A given the system B is defined by 

Hp{A\B) ■.= H{pab)-H{pb), 

where pB = T^a[pab] is the partial trace of pab over the system A. The 
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quantum mutual information between the system A and B is defined by 
Ip{A; B) := H{pa) + H{pb) - H{pab). 

It should be noted that, for {cg}-state pxA^ the quantum mutual informa- 
tion coincides with the Holevo information, i.e., 

Ip{X-A) = H{pa) - Px{x)H{p\). 

Remark 2.1.6 In this paper, we denote pA for Ti:b[pab\ or ps for TvacIpabc] 
e.t.c. without declaring them if they are obvious from the context. 

2.1.4 Bloch Sphere, Choi Operator, and Stokes Parameter- 
ization 

In this section, we first introduce the Bloch sphere, which is a parameteriza- 
tion of the set V{7i) of density operators on two-dimensional space (qubit). 
Then, we introduce the Choi operator for the qubit channel and its Stokes 
parameterization. 
Let 



be the Pauli operators, and let Ui = / be the identity operator on the qubit. 
Then, the set {a\, o"x, Cy, a^} form a basis of the set C{'H) of all operators on 
7i. Furthermore, we have 






1 


, (Ty : = 


-i 


, cjz := 


1 


1 







i 




-1 



v{rL) 



9x + i6 



?x + + Gl < 1 



(2.4) 



that is, there is one-to-one correspondence between a qubit density opera- 
tor and a (column) vectoi0 6 = [^zi^xi^y]"^ within the unit sphere, which is 
called the Bloch sphere [NCOOj . By a straightforward calculation, we can 



^For a reason clarified in Section [3.61 we denote the coordinate in this order. 
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find that the von Neumann entropy of the density operator p that corre- 
sponds to the vector 6 = [0^) ^x, ^y]"^ is 



1 + 



H{p) = h 



where \\6\\ is the Euclidian norm of the vector 9. 



(2.5) 



Let W{nA,'HB) be the set of aU TPCP maps (see Section [2X1]) from 
V{'Ha) to V(7iB), where we set TCa = as qubit. Let 



|00) + |11) 
^/2 



(2.6) 



be a maximally entangled state on the composite system Ti.A ®'Hb- Then, 
we define the set Vc C ViTiA '^'Hb) such as any element p £ Vc satisfies 
TtbIp] = 1/2. It is weh known that |Cho75[ IFA99j there is one-to-one 
correspondence between the set WiTiAi'HB) and the set Vc via the map 

W{nA,nB)3£^ PAb:= (id ® £){^) £ Vc- 

The operator pab is also known as the (normalized) Choi operator |Cho75] . 
For a Choi operator pab G Vc let 



R 



ba 



TrlpABicTa 0-b)] 



(2.7) 



and 



:= Tr[pAB{I (2. 
for a, b G {z,x, y}, where is the complex conjugate of a^. The pair 





( 


Rzz 


Rzx 


Rzy 




' tz " 




iR,t) := 




Rxz 


Rxx 


Rxy 




tx 


] 




[ 


Ryz 


Ryx 


Ryy _ 









of the matrix and the vector is called the Stokes parameterization of the 
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channel E and the Choi operator pAB |FN98l IFA99] . By a straightforward 
calculation, we can find that the channel E is equivalent to the affine map 



z 




Rzz 


Rzx 


R 


X 


1 — > 


Rxz 


Rxx 


R 


y . 




RyZ 


Ryx 


R 





' 0z ' 




" tz ' 




Ox 


+ 


tx 




Jy . 







from the Bloch sphere to itself. 

In the rest of this thesis, we identify a Choi operator and its Stokes 
parameterization if it is obvious from the context. For example, (i?, t) ^ Ac 
Vc means that the Choi operator pab corresponding to (i?, t) is included in 
the subset A. 



2.2 Privacy Amplification 

In this section, we review the privacy amplification. First, we review notions 
of the (smooth) min-entropy and the (smooth) max-entropy. The (smooth) 
min-entropy and the (smooth) max-entropy are useful tool to prove the 
security of QKD protocols |KGR05l iRGKOSl IRenOS] . Especially, (smooth) 
min-entropy is much more important, because it is related to the length 
of the securely distillable key by the privacy amplification. The privacy 
amphfication |BBR85t IBBRSSj IBBCM95j is a technique to distill a secret 
key from partially secret data, on which an adversary might have some 
information. Later, the privacy amplification was extended to the case that 
an adversary have information encoded into a state of a quantum system 
ICRE041 iKMROSl IRKOSi [RenOSj . Most of the following results can be found 
in |Ren051 Sections 3 and 5], but lemmas without citations are additionally 
proved in the appendix of [WMUKOTj . We need Lemma l2.2.8l to apply the 
results in |Ren05j to the QKD protocols with two-way postprocessing in 
Chapter m More specifically, Eq. (3.22) in [RenOSl Theorem 3.2.12] plays 
an important role to show a statement similar as Corollarv 12 . 2 . 91 in the case 
of the QKD protocols with one-way postprocessing. However, the condition 
of Eq. (3.22) in |Ren051 Theorem 3.2.12] is too restricted, and cannot be 
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applied to the case of the two-way postprocessing proposed in Chapter HI 
Thus, we show Corollary 12.2.91 via Lemma 12.2.81 Lemmas 12.2.51 and 12.2.71 
are needed to prove Lemma l2.2.81 

2.2.1 Min- and Max- Entropy 

The (smooth) min-entropy and (smooth) max-entropy are formally defined 
as follows. 

Definition 2.2.1 [RenOSl Definition 3.1.1] Let pab e V^Ha ® Hb) and 
aB G V{TLb)- The min-entropy of pab relative to cjb is defined by 

Hmin{PAB\(yB) ■= " log A, 

where A is the minimum real number such that A • id a ® ub — PAB ^ 0, 
where id^ is the identity operator on TLa- When the condition supp(/?B) C 
supp((Tb) does not hold, there is no A satisfying the condition A • id^ ®(Tb — 
PAB > 0, thus we define -f^min(PA_B|'7B) := — cxd. 

The max-entropy of pab relative to 0"^ is defined by 

-H'max(/5AB|o-B) := logTr ((id^ ® cfb)p\b) ; 

where p\q denotes the projector onto the support of pab- 

The min-entropy and the max-entropy of pab given TIb are defined by 

Hmin{PAB\B) := SUpi?mm(/5AB|o-B) 
Hm&x{pAB\B) := SUpi?max(/5AB|o-B), 

where the supremum ranges over all ub S V{'Hb)- 

When Tis is the trivial space C, the min-entropy and the max-entropy 
of PA is 



HminiPA) = -logAmax(/OA) 

HmaAPA) = logrank(/>A), 
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where Amax(-) denotes the maximum eigenvalue of the argument. 

Definition 2.2.2 [EennSl Definitions 3.2.1 and 3.2.2] Let pAB S V'{Ha ® 
T~(-b), € ViTLs)-, and e > 0. The e-smooth min-entropy and the e-smooth 
max-entropy of pab relative to cr^ are defined by 

SUpi?min(pABkB) 

Pab 

mf -ffmax(p^B|0"B), 
Pab 

where the supremum and infimum ranges over the set B^{pab) of all oper- 
ators G V'{Ha ^ T~(-b) such that \\pab ~ Pab\\ < (Trp^B)e. 

The conditional e-smooth min-entropy and the e-smooth max-entropy 
of PAB given Ti.B are defined by 

Hnnn{PAB\B) := SUp H^^^ipABWB) 

H^i,J.PAb\B) := snp H^^^{pabWb), 
where the supremum ranges over all as € VlTis)- 

The following lemma is a kind of chain rule for the smooth min-entropy. 



HrainiPABWB) '■ = 
H^a.APAB\(y b) ■ = 



Lemma 2.2.3 |Ren051 Theorem 3.2.12] For a tripartite operator pabc £ 
V'iHA (^T-Lb® He), we have 

HLnipABclC) < W^^{pABc\BC) + H^^M- (2-9) 

The following lemma states that removing the classical system only de- 
creases the min-entropy. 



Lemma 2.2.4 [ RenOSl Lemma 3.1.9] (monotonicity of min-entropy) Let 
PXBC £ ^'{Hx ® Ti-B ® 'He) be classical on Hx, and let ac G V{Hc)- 
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Then, we have 

Hrain{pXBcWc) > H^i^{pBcWc)- 

In order to extend Lemma 12.2.41 to the smooth min-entropy, we need Lem- 
mas [123] and [2X71 

Lemma 2.2.5 Let pab S ViTiA ® Wb) be a density operator. For e > 0, 
let pb G B'^{pb)- Then, there exists a operator pab G ^^{pab) such that 
TrAlpAfi] = PB, where e := \/8e. 

Proof. Since /5b G B^{pb), we have 

IIpbII > ll/Ofill - Hps - /5b|| > 1 - 
Then, from Lemma [2.1.51 we have 

F{pb,Pb) > '^{TipB + TipB -\\pB - Pb\\) 
> l-e. 

Let 1^') G TLr 53 be a purification of pab- Then, from Theorem 
12.1.31 there exists a purification |<1*) G TLr ® TLa ^Ti-B of pB such that 

By noting that > 1 — 2e, from Lemma [2. 1.41 we have 

|||^')(^| - |$)($||| < VSe. 

Let PAB '■= Trij[|<I>)(<I>|]. Then, since the trace distance does not increase 
by the partial trace, we have 

Wpab - PabW < VSe. 



□ 
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Remark 2.2.6 In Lemma 12.2.51 if the density operator pAB is classical 
with respect to both systems TIa ®'Hb-, then we can easily replace e by e. 
Then, e in Lemma 12.2.71 12^2.81 and Corollary 12.2.91 can also be replaced by 
e. 

Lemma 2.2.7 Let pxB £ 'Pijix 53 "Hb) be a density operator that is clas- 
sical on TLx- For ^ > 0, let pB S B^{pb)- Then, there exists a operator 
pxB £ S^ipxB) such that Tr x[pxb] = Pb and pxB is classical on Tix, 
where e := VSe. 

Proof. Prom Lemma [2.2.5^ there exists a operator p'-^^ £ B^{pxb) such 
that TixIp'xb] ~ Pb- Let £x be a projection measurement CP map on Tix, 
i.e., 

£x{p) ■■= \^)ix\p\x)ix\^ 

where is an orthonormal basis of Wx- Let pxs := {£x®'^^b){p'xb)- 

Then, since the trace distance does not increase by the CP map, and 

{£x ® i<^b){pxb) = PXB, we have 

Wpxb — PxbW 
= \\{£x(^ iAb){p'xb) - (f-x ®'-^^b)[pxb)\\ 

^ \\f>XB- PXb\\ 

< e, 

where the first inequality follows from Lemma l2.1.1[ Furthermore, we have 
T^icx[pxb] = '~^^x[p'xb] ~ PB, and pxB is classical on TLx- D 

The following lemma states that the monotonicity of the min-entropy 
(Lemma l2.2.4p can be extended to the smooth min-entropy by adjusting the 
smoothness e. 

Lemma 2.2.8 Let pxBC ^ T^C^x 53 Tis 53 Tic) be a density operator that 
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is classical on 7ix- Then, for any e > 0, we have 

Htain{PXBc\C) > H^i^{pBc\C), 

where e := -v/Se. 

Proof. We will prove that 

H^iniPXBcWc) > H^iniPBcWc) 

holds for any ac G V{TCc')- From the definition of the smooth min-entropy, 
for any z/ > 0, there exists pBC £ iS^iPBc) such that 

HminiPBcWc) > H^^iniPBcWc) " I'- (2.10) 

Prom Lemma [2.2.71 there exists a operator pxBC £ iS^ipxBc) such that 
T^x[pxBc] = PBC, and pxBC is classical on TLx- Then, from Lemma [2. 2.41 
we have 

Hrain{pXBc\(yc) > Hyain{PBcWc) ■ (2-11) 

Furthermore, from the definition of smooth min-entropy, we have 

HminiPXBcWc) > H^ia{pxBcWc)- (2-12) 

Since > is arbitrary, combining Eqs. (|2.10p - ()2.12p . we have the assertion 
of the lemma. □ 

Combining Eq. ()2.9p of Lemma 12.2.31 and Lemma 12.2.81 '^^ have the 
following corollary, which states that the condition decreases the smooth 
min-entropy by at most the amount of the max-entropy of the condition, 
and plays an important role to prove the security of the QKD protocols. 

Corollary 2.2.9 Let pxBC £ 'Pijix ® T~(-b 03 Ti-c) be a density operator 
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that is classical on 7ix- Then, for any e > 0, we have 
where e := \/8e- 

For a product {cg}-state Pxb^ the smooth min-entropy can be evaluated 
by using the von Neumann entropy. 

Lemma 2.2.10 |Ren05l Corollary 3.3.7^ Let pxB £ 'PiJ^x ® T~(-b) be a 
density operator which is classical on 7ix- Then for e > 0, we have 

^^min(p|Bl^") > HipXB) " H{pb) - 5, 

where 6 := {2H^Upx) + 3)^lHiM). 
2.2.2 Privacy Amplification 

The following definition is used to state the security of the distilled key by 
the privacy amplification. 

Definition 2.2.11 [RenOSl Definition 5.2.1] Let pab e V'{Ha®'Hb)- Then 
the trace distance from the uniform of pab given B is defined by 

d{pAB\B) := Wpab - Pa'"" ^ PbII, 

where := gj^jp^idyi is the fully mixed state on Ha and pB '■= TtaIpab]- 

Definition 2.2.12 |CW79j Let T he a set of functions from X to S, and 
let Pp be the uniform probability distribution on J^. The set JF is called 
universal hash family if Pr{/(x) = f{x')} < ^ for any distinct x,x' G X. 

Consider an operator pxE £ 'P'{'Hx ®'He) that is classical with respect 
to an orthonormal basis {|a;)}2,'eA' of TLx-, and assume that / is a function 

^See also Ref. [22] of [gR08] 
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from X to S. The operator describing the classical function output together 
with the quantum system TCe is then given by 

P f ix)E ■=^\s){s\'^ P% ioi p% := Pe^ (2-13) 

ses xe/-i(2) 

where is an orthonormal basis of TCs- 

Assume now that the function / is randomly chosen from a set J- of 
function according to the uniform probabihty distribution Pp. Then the 
output f{x), the state of the quantum system, and the choice of the function 
/ is described by the operator 

Pf(x)ef '■= Y.PF{f)Pnx)E®\f){f\ (2.14) 

on 7is ® Ti-E ^5" Ti-p, where "Hj? is a Hilbert space with orthonormal basis 
The system TCs describes the distilled key, and the system Tip 
and Tip describe the information which an adversary Eve can access. The 
following lemma states that the length of securely distillable key is given by 
the conditional smooth min-entropy H^^j^{pxe\E). 

Lemma 2.2.13 |Ren05l Corollary 5.6.1] Let pxE G ViTix ^ Up) be a 
density operator which is classical with respect to an orthonormal basis 
{la;)}^;^;^ of 7ix- Let J- he a, universal hash family of functions from X to 
{0, 1}^, and let e > 0. Then we have 

d{pp^x)EF\EF) < 2e + 2-'2("'^^^iPxE\E)-i) 

for pp{x)EF G T>{Hs (^l-Lp® Hp) defined by Eq. (I2l4l) . 

By using Corollary 12.2.91 and Lemma 12.2.131 we can derive the following 
corollary, which gives the length of the securely distillable key when Eve 
can access classical information in addition to the quantum information. 

Corollary 2.2.14 Let pxcE be a density operator on ViTLx ® He ® Hp) 
that is classical with respect to the systems X and C. Let ^ be a universal 
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family of hash functions from X to {0, 1} , and let e > 0. If 
£ < Hi^^{pxE\E) - logdimT^c - 21og(l/e), 

then we have 

d{pF(x)CEF\CEF) < 3e, 

where e = e^/8. 



Remark 2.2.15 When the density operator pxcE is such that the system 
C only depends on X, then e in Corollary 12.2.141 can be replaced by e 
|Ren05t Lemma 6.4.1]. 



Chapter 3 



Channel Estimation 



3.1 Background 

As we have mentioned in Chapter [H the QKD protocols consists of three 
phases: the bit transmission phase, the channel estimation phase, and the 
postprocessing phases. The postprocessing is a procedure in which Alice 
and Bob generate a secret key from their bit sequences obtained in the bit 
transmission phase, and the key generation rate (the length of the generated 
key divided by the length of their initial bit sequences) is decided according 
to the amount of Eve's ambiguity about their bit sequence estimated in the 
channel estimation phase. The channel estimation phase is the main topic 
investigated in this chapter. 

Mathematically, quantum channels are described by trace preserving 
completely positive (TPCP) maps [NCOOj . Conventionally in the QKD pro- 
tocols, we only use the statistics of matched measurement outcomes, which 
are transmitted and received by the same basis, to estimate the TPCP 
map describing the quantum channel; mismatched measurement outcomes, 
which are transmitted and received by different bases, are discarded in the 
conventionally used channel estimation methods. By using the statistics of 
mismatched measurement outcomes in addition to that of matched mea- 
surement outcomes, we can estimate the TPCP map more accurately than 
the conventional estimation method. Such an accurate channel estimation 
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method is also known as the quantum tomography [CN971 IPCZ97j . In 
early 90s, Barnett et al. |BHP93j showed that the use of mismatched mea- 
surement outcomes enables Alice and Bob to detect the presence of Eve 
with higher probability for the so-called intercept and resend attack. Fur- 
thermore, some literatures use the accurate estimation method to ensure 
the channel to be a Pauh channel [BCE+OSl lLKE+03[ lKLQ+05[ iKLKEOSj . 
where a Pauli channel is a channel over which four kinds of Pauli errors 
(including the identity) occur probabilistically. However the channel is not 
necessarily a Pauli channel. 

The use of the accurate channel estimation method has a potential to 
improve the key generation rates of the QKD protocols. For this purpose, we 
have to construct a postprocessing that fully utilize the accurate channel es- 
timation results. However, there was no proposed practically implementable 
postprocessing that can fully utilizes the accurate estimation method. Re- 
cently, Renner et al. |RGK051 IRenOSj IKGR05| developed information theo- 
retical techniques to prove the security of the QKD protocols. Their proof 
techniques can be used to prove the security of the QKD protocols with a 
postprocessing that fully utilizes the accurate estimation method. However 
they only considered Pauli channels or partial twirled channel^]. For Pauli 
channels, the accurate estimation method and the conventional estimation 
method make no difference. 

In this chapter, we propose a channel estimation procedure in which 
we use the mismatched measurement outcomes in addition to the matched 
measurement outcomes, and also propose a postprocessing that fully utilize 
our channel estimation procedure. We use the Slepian-Wolf coding [SW73j 
with the linear code (linear Slepian-Wolf coding) in our information recon- 
ciliation (IR) procedure. 

The use of the linear Slepian-Wolf coding in the IR procedure has the fol- 
lowing advantage over the IR procedures in the literatures |RGK051 IRenOSl 
IKGR051 IDWOSj . In |DW05j . the authors constructed their IR procedure 
by the so-called random coding method. Therefore, their IR procedure is 



^By the partial twirling (discrete twirling) [BDSW96] . any channel becomes a Pauli 
channel. 
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not practically implementable. In [RGKOSl IRen05[ IKGROSj . the authors 
constructed their IR procedure by randomly choosing an encoder from a 
universal hash familjQ. Their IR procedure is essentially equivalent to the 
Slepian-Wolf coding. However, the ensemble the encoder of the low density 
parity check (LDPC) code, which is one of the practical linear codes, is 
not a universal hash family. On the other hand, the linear code in our IR 
procedure can be a LDPC code. 

The rest of this chapter is organized as follows: In Section 13.21 we ex- 
plain the bit transmission phase of the QKD protocols with some technical 
terminologies. Then, we formally describe the problem setting of the QKD 
protocols. In Section 13. 3^ we show our IR procedure. In Section 13.4. H 
we show our proposed channel estimation procedure, and then clarify a 
sufficient condition such that Alice and Bob can share a secure key (Theo- 
rem [2313])- Then, we derive the asymptotic key generation rate formulae. 
In Section 13.51 we clarify the relation between our proposed channel esti- 
mation procedure and the conventional channel estimation procedure. In 
Section 13.61 we investigate the asymptotic key generation rates for some 
representative examples of channels. 

It should be noted that most of the results in this chapter first appeared 
in |WMU08] . However, some of the results in Section [3.6.11 and Section [X71 
are newly obtained in this thesis. 

3.2 BB84 and Six-State Protocol 

In the six-state protocol, Alice randomly sends bit or 1 to Bob by modu- 
lating it into a transmission basis that is randomly chosen from the z-basis 
{|0z), |lz)}, the x-basis {|0x), |lx)}, or the y-basis {|0y), |ly)}, where |0a), |la) 
are eigenstates of the Pauli operator for a G {x, y, z} respectively. Then 
Bob randomly chooses one of measurement observables a^, Cy, and ciz, and 
converts a measurement result -|-1 or —1 into a bit or 1 respectively. After 
a sufficient number of transmissions, Alice and Bob publicly announce their 

^See Definition 12.2. 12] for the definition of tlie universal hash family. 
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transmission bases and measurement observables. They also announce a 
part of their bit sequences as sample bit sequences for estimating channel 
between Alice and Bob. 

In the BB84 protocol, Alice only uses z-basis and x-basis to transmit 
the bit sequence, and Bob only uses observables and fix to receive the bit 
sequence. 

For simplicity we assume that Eve's attack is the collective attack, i.e., 
the channel connecting Alice and Bob is given by tensor products of a chan- 
nel £b from a qubit density operator to itself. This assumption is not a 
restriction for Eve's attack by the following reason. Suppose that Alice and 
Bob perform a random permutation to their bit sequence. By perform- 
ing this random permutation, the channel between Alice and Bob becomes 
permutation invariant. Then, we can asymptotically reduce the security of 
the QKD protocols for the most general attack, the coherent attack, to the 
security of the collective attack by using the (quantum) de Finetti represen- 
tation theorem [RenOSl iRenOTl [CKR09j . Roughly speaking, the de Finetti 
representation theorem says that (randomly permuted) general attack can 
be approximated by a convex mixture of collective attacks. 

So far we have explained the so-called prepare and measure scheme of 
the QKD protocols. There is the so-called entanglement based scheme of the 
QKD protocols |Eke91| . In the entanglement based scheme, Alice prepares 
the Bell state 



and sends the second system to Bob over the quantum channel £b- Then, 
Alice and Bob conduct measurements for the shared state 



by using randomly chosen observables da and respectively. Although the 
entangled based scheme is essentially equivalent to the prepare and measure 
scheme |BBM92] , the latter is more practical in the present day technology 




PAB ■= {id^£B){ip) 
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because Alice and Bob do not need the quantum memory to store qubits. 
However, the former is more convenient to mathematically treat the BB84 
protocol and the six-state protocol in a unified manner. Therefore in the 
rest of this thesis, we employ the entanglement based scheme of the QKD 
protocols, and consider the following situation. 

Suppose that Alice and Bob share the bipartite (qubits) system {Ti.A ® 
'Hb)^^ whose state is p®^. Alice and Bob conduct measurements for the 
first n (out of A^) bipartite systems by z-basis respectiveljlf]. They also 
conduct measurements for the latter m (out of A^) bipartite systems by 
randomly chosen bases from the set Ji, := {x, z} in the BB84 protocol and 
Js '■= {x;Z,y} in the six-state protocol. Formally, the measurement for the 
latter m systems can be described by the bipartite POVM := {Mz}z&z 
on the bipartite system Ha^'Hb, where Z := F2 x Jf, x F2 x Jf, for the BB84 
protocol and := F2 x x F2 x for the six-state protocol. Note that 
Alice and Bob generate a secret key from the first n measurement outcomes 
(x,y) G F2 X F2, and they estimate an unknown density operator pAB by 
using the latter measurement outcomes z E Z^, which we call the sample 
sequence. When we do not have to discriminate between the BB84 protocol 
and the six-state protocol, we omit the subscripts of Jh and ^Ts, and denote 
them by J . 

As is usual in QKD literatures, we assum^ that Eve can obtain her 
information by conducting a measurement for an environment system TIe 
such that a purification ipABE of pab is a density operator of joint system 
Ti-A ®'Hb ® 'He- Therefore, Alice's bit sequence x = (xi, . . . , x^), Bob's bit 
sequence y = (yi, . . . ,2/™), and the state in Eve's system can be described 



■^In this thesis, we mainly consider a secret key generated from Alice and Bob's mea- 
surement outcomes by z-basis. Therefore, we occasionally omit the subscripts {x, y, z} of 
bases, and the basis {|0), |1)} is regarded as z-basis unless otherwise stated. 

*By this assumption, we are considering the worst case, that is, the security under this 
assumption implies the security for the situation in which Eve can conduct a measurement 
for a subsystem Ti^/ of 7i_B. This fact can be formally proved by using the monotonicity 
of the trace distance, because the security is defined by using the trace distance in this 
thesis (see Section 13. 4. ip . 
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by the {ccg}-state 

PXYE= -fxy(x,y)|x,y)(x,y| (8)^^'^, 

(x,y)eF^xFJ 

where PJy is the product distribution of PxY{x,y) := Tr[\x, y){x,y\pAB], 
and p^'^ := (8) ■ ■ ■ (g) p^"'^" for the normahzed density operator of 

T^AB[{\x,y){x,y\ <Si Ie)iPabe]- 

3.3 One- Way Information Reconciliation 

When AUce and Bob have correlated classical sequences, x, y € the 
purpose of the IR procedure for Alice and Bob is to share the same classical 
sequence by exchanging messages over the public authenticated channel, 
where F2 is the field of order 2. Then, the purpose of the PA procedure 
is to extract a secret key from the shared bit sequence. In this section, we 
present the most basic IR procedure, the one-way IR procedure. In the 
one-way IR procedure, only Alice (resp. Bob) transmit messages to Bob 
(resp. Alice) over the public channel. 

Before describing our IR procedure, we should review the basic facts of 
linear codes. An [n, n — k] classical linear code C is an (n — /c)-dimensional 
linear subspace of F2, and its parity check matrix M is an A; x n matrix 
of rank k with 0, 1 entries such that Mc = for any codeword c G C By 
using these preparations, our procedure is described as follows: 

(i) Alice calculates the syndrome t = i(x) := Mx, and sends it to Bob 
over the public channel. 

(ii) Bob decodes (y , t) into an estimate of x by a decoder x : x F| ^ F2 . 

In the QKD protocols, Alice and Bob do not know the probability dis- 
tribution PxY in advance, and they estimate candidates {PxY,e '■ ^ ^ ©} 
of the actual probability distribution PxY- In order to use the above IR 
procedure in the QKD protocols, the decoding error probability have to 
be universally small for any candidate of the probability distribution. For 
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this reason, we introduce the concept that an IR procedure is J-universahy- 
correcjf] as follows. 

Definition 3.3.1 We define an IR procedure to be (5-universally-correct for 
the class {Pxy,9 '■ ^ £ ©} of probability distributions if 

^'ly,e({(x,y): x/x(y,t(x))})<5 

for every 9 £ Q. 

An example of a decoder that fulfils the universality is the minimum 
entropy decoder defined by 

x(y,i) := argmini7(Pxy)- 

x:Mx=£ 



Theorem 3.3.2 |Csi821 Theorem 1] Let r be a real number that satisfies 

r>mmHiXe\Ye), 

eee 

where the random variables {Xg,YQ) are distributed according to PxYfi- 
Then, for every sufficiently large n, there exists a k xn parity check matrix 
M such that ^ < r and a constant E > that does not depends on n, 
and then the decoding error probability by the minimum entropy decoding 
satisfies 

P^^,,({(x,y): x^x(y,t(x))})<e-"^ 
for every 9 £ Q. 

Remark 3.3.3 Conventionally, we used the error correcting code instead 
of the Slepian-Wolf coding in the IR procedure (e.g. |SP00j ). In this remark, 

^Early papers of QKD protocols did not consider the universality of the IR procedure. 
The need for the universality was first pointed out by Hamada [Ham04] as long as the 
author's knowledge. 
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we show that the leakage of information to Eve in the above IR procedure 
is as small as that in the IR procedure with the error correcting code. 
Furthermore, we show the sufficient and necessary condition for that the 
former equals to the latter. 

For appropriately chosen linear code C C F2 , the IR procedure with the 
error correcting (linear) code is conducted as follows. 

(i) Alice randomly choose a code word c £ C, and sends c + x to Bob 
over the public channel. 

(ii) Bob decodes c + x + y into an estimate c of the code word c by 
a decoder from F2 to C. Then, he obtains an estimate x of x by 
subtracting c from the received public message c + x. 

Note that Step ([1]) is equivalent to sending the syndrome Afx G F2 to Bob 
from the view point of Eve, because Eve can know to which coset of Fg/C 
Alice's sequence x belongs by knowing c + x. However, the length k of 
the syndrome have to be larger than that in the IR procedure with the 
Slepian-Wolf coding by the following reason. 
Define a probability distributioro on F2 as 



Then the error w := x + y between Alice and Bob's sequences is distributed 
according to P^r. Since we can regard that the code word c is transmitted 
over the binary symmetric channel (BSC) with the crossover probability 
Pvk(1)) the converse of the channel coding theorem |CT06j implies that 
dim C/n = 1 — k/n have to be smaller than 1 — H(W). By using the log- 
sum inequality |CT06j and Eq. (|3.1|) . we have 




(3.1) 



y&2 



H{X\Y) 




1 



Px\Y{x\y) 



^For simplicity, we assume that there exists only one candidate of distribution Pj 
and omit 9 in this remark. 
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J2 PY{y)Px\Y{y + w\y)'^og 



Pviy) 



PY{y)Px\Y{y + w\y) 



< 




H{W), 



and the equality holds if and only if Px\y{w\Q) equals Px|y(l + foi' 
any w G F2. 

Remark 3.3.4 When we implement the above IR procedure, we should use 
a parity check matrix with an efficient decoding algorithm. For example, 
we may use the low density parity check (LDPC) matrix |Gal63] with the 
sum-product algorithm. 

For a given sequence y G Fg, and a syndrome t G Fg, define a function 



where N{i) := {j | Mij = 1} for the parity check matrix M, and ![•] is the 
indicator function. The function P*(x) is the non-normalized a posteriori 
probability distribution on Fg given y and t. The sum-product algorithm is 
a method to (approximately) calculate the marginal a posteriori probability, 
i.e.. 



The definition of a posteriori probability in Eq. (|3.2p is the only differ- 
ence between the decoding for the Slepian-Wolf source coding and that for 
the channel coding. More precisely, we replace |Mac03t Eq. (47.6)] with 
Eq. (|3.2p . and use the algorithm in |Mac031 Section 47.3]. The above pro- 
cedure is a generalization of |LXG02] , and a special case of [CLMEOB] . 

In QKD protocols we should minimize the block error probability rather 
than the bit error probability, because a bit error might propagate to other 



n k 




(3.2) 



j=i i=i 
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bits after the privacy amphfication. Although the sum-product algorithm is 
designed to minimize the bit error probability, it is known by computer sim- 
ulations that the algorithm makes the block error probability small |Mac03j . 

Unfortunately, it has not been shown analytically that the LDPC ma- 
trix with the sum-product algorithm can satisfy the condition in Definition 
13.3.11 However, it has been shown that the LDPC matrix can satisfy the 
condition in Definition 13.3.11 if we use the maximum a posteriori probabil- 
ity (MAP) decoding with an estimated probability distribution 
Since the sum-product algorithm is a approximation of the MAP decod- 
ing, we expect that the LDPC matrix with the sum-product algorithm can 
satisfy the condition in Definition 13.3.11 as well. 

3.4 Channel Estimation and Asymptotic Key Gen- 
eration Rate 

3.4.1 Channel Estimation Procedure 

In this section, we show the channel estimation procedure. The purpose of 
the channel estimation procedure is to estimate an unknown Choi operator 
P = PAB G "Pc from the sample sequence z E Z^. By using the estimate 
of the Choi operator, we show a condition on the parameters (the rate of 
the syndrome and the key generation rate) in the postprocessing such that 
Alice and Bob can share a secure key (Theorem I3.4.3P . 

Let us start with the channel estimation procedure of the six-state pro- 
tocol. In this thesis, we employ the maximum likelihood (ML) estimator: 

p(z) := argmaxP"(z), 

peVc 

where P™ is m products of the probability distribution Pp of the sample 
symbol z & Z defined by Pp{z) := Tt[Mzp]. 

^In [MUWOS] . Muramatsu et. al. has proposed to use the LDPC code and the MAP 
decoding for the Slepian-Wolf code sysmtem. However, their result cannot be used in 
the context of the QKD protocol, because there is an estimation error of the distribution 

PXY- 
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As we have seen in Section [1.21 the conditional von Neumann entropy 



plays an important role to decide the key generation rate in the postpro- 
cessing, where 



for a purification \iIjabe) of p = pab- Therefore, we have to estimate this 
quantity, Hp{X\E). Actually, the estimator 



is the ML estimator of Hp{X\E) ((]Bn2l Theorem 7.2.10]. 

Next, we consider the channel estimation procedure of the BB84 proto- 
col. Although the Choi operator p is described by 12 real parameters (in the 
Stokes parameterization), from Eqs. (|2.7p and (|2.8p . we find that the distri- 
bution Pp only depends on the parameters to := {Rzz, Rzxi Rxz, Rxx,tz,tx) , 
and does not depend on the parameters r := (Rzy, R^y, Ryz, Ryx, Ryy,ty)- 
Therefore, we regard the set 



as the parameter space, and denote Pp by P^. Then, we estimate the 
parameters uj by the ML estimator: 



Since we cannot estimate the parameters r, we have to consider the 
worst case, and estimate the quantity 



Hp{X\E) := H{pxe) - H{pe) 




H,{X\E) :=/7^(,)(X|i^) 



n:={ujeW : 3t G (w, r) G Vc] 



u}{z) := argmaxP™(z) 




.m H,{X\E) 



(3.3) 
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for a given lo £ where the set 

Vc{io) := {g = {u', t') G ■ l^' = l^} 
is the candidates of Choi operators for a given uj £ Q. Actually, 
HJXIE) := min HJXlE) 

is the ML estimator of the quantity in Eq. (j3.3p . 

It is known that the ML estimator is a consistent estimator (with certain 
conditions, which are satisfied in our case |Wal49) ). that is, the quantities 

^,(a,m):=P-({z: ||p(z) - p|| > a}) (3.4) 

for the six-state protocol and 

AXb(a,m) :=Pj;^({z : |p(z) - c^|| > a}) (3.5) 

for the BB84 protocol converge to for any a > as m goes to infinity. In 
the rest of this thesis, we omit the subscripts of ^s{a^ m) and /Ub(a, m), and 
denote them by ^[a^rn). 

Since Hp{X\E) is a continuous function of p, which follows from the 
continuity of the von Neumann entropy, there exists a function ??s(") such 
that 

\H^{X\E) - Hp{X\E)\ < 7]s{a) (3.6) 

for ||yo(z) — p\\ < a and r]s{a) — > as a ^ 0. Similarly, since Eq. (j3.3p is 
a continuous function of uj, which will be proved in Lemma 13.4.111 there 
exists a function r]b{-) such that 

\H,{X\E) - min H,{X\E)\ < 7],{a) (3.7) 
for \\uj{z) — a;|| < Q and ??fe(a) — > as a ^ 0. In the rest of this thesis, we 
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omit the subscripts of r]s{-) and r/6(-), and denote them by ry(-). 

3.4.2 Sufficient Condition on Key Generation Rates for Se- 
cure Key Agreement 

In this section, we explain how Alice and Bob decides the parameters of the 
postprocessing and conduct it. Then, we show a sufficient conditions on the 
parameters such that Alice and Bob can share a secure key. 

If the sample sequence is not contained in a prescribed acceptable region 
Q C (see Remark 13.4.41 for the definition), then Alice and Bob abort 
the protocol. Otherwise, they decide the rate of the linear code used 
in the IR procedure according to the sample bit sequence z. Furthermore, 
they also decide the length £{z) of the finally distilled key according to the 
sample sequence z. Then, they conduct the postprocessing as follows. 

(i) Alice and Bob undertake the IR procedure of Section 13.31 and Bob 
obtains the estimate x of Alice's raw key x. 

(ii) Alice and Bob carry out the privacy amplification (PA) procedure to 
distill a key pair {sa,sb) such that Eve has little information about 
it. Alice first randomly chooses a function, / : ^ {0,1}^^^^^ from 
a universal hash family (see Definition 12.2. 12|) , and sends the choice 
of / to Bob over the public channel. Then, Alice's distilled key is 
SA = /(x) and Bos's distilled key is ss = /(x) respectively. 

We have explained the procedures of the postprocessing so far. The 
next thing we have to do is to define the security of the generated key 
formally. By using the convention in Eq. (j2.2p for the {ccg}-state pxYE and 
the mapping that describes the postprocessing, the generated key pair and 
Eve's available information can be described by a {cccg}-state, P^^^SbCE^ 
where classical system C consists of the random variable T that describe 
the syndrome transmitted in the IR procedure and the random variable F 
that describes the choice of the function in the PA procedure. It should 
be noted that the {cccg}-state P^^SbCE depends on the sample sequence 
z because the parameters in the postprocessing is determined from it. To 
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define the security of the distilled key pair {Sa, Sb), we use the universally 
composable security definition BOHL"'"05| IRK05] (see also |Ren05| ). which 



is defined by the trace distance between the actual key pair and the ideal 
key pair. We cannot state security of the QKD protocols in the sense that 
the distilled key pair {Sa, Sb) is secure for a particular sample sequence z, 
because there is a slight possibility that the channel estimation procedure 
will underestimate Eve's information. 

Definition 3.4.1 The generated key pair is said to be e-secure (in the sense 
of the average over the sample sequenc^) if 

E Pr(^)l\\Ps.s,CE - ® PlA < e (3.8) 

zGQ 

for any (unknown) Choi operator p £ Vc initially shared by Alice and Bob, 
where Ps^^ := J2seS^ |5~f 1'^' ^\ uniformly distributed key on the 

key space := {0, 

Remark 3.4.2 |Ren05t Remark 6.1.3] The above security definition can be 
subdivided into two conditions. If the generated key is e-secret, i.e., 



\ ^ -nm/- \ ^ II z z,mix „ z n ^ 



zgQ 

and (5-correct, i.e., 

Y,P^i^)P§,S,{sA^SB)<5, 

zeQ 

then the generated key pair is (e + 5)-secure. 

For a given Choi operator p £ Vc, we define the probability distribution 

PxY,p G V{¥2 X F2) as 

PxYA^,y) ■■= Tr[{\x){x\ \y){y\)p]. (3.9) 



If it is obvious from the context, we occasionally use terms "e-secure", "e-secret" 
and "(5-correct" for specific realization z instead for average. 
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Actually, PxY,p does not depend on the parameter r in the BB84 protocol. 
Therefor, we denote PxY.p by Pxy,uj when we treat the BB84 protocol. 

The following theorem gives a sufficient conditions on /c(z) and ^(z) such 
that the generated key pair is secure. 

Theorem 3.4.3 For each sample sequence z G Q, assume that the IR 
procedure is 5-universally-correct for the class of distributions 

{PxY,p : ||p(z) - p\\ < a} 
in the six-state protocol, and for the class of distributions 

{PxY,uj ■■ ||w(z) - uj\\ < a} 
in the BB84 protocol. For each z G Q, if we set 

^<F.(X|i^)-,(a)-^- 



then the distilled key pair is (e+5+//(Q, m))-secure, where t', 

21og(3/2£) 
n 

Proof. We only prove the statement for the six-state protocol, because 
the statement for the BB84 protocol is proved exactly in the same way 
by replacing p £ Vc with uj £ Q and some other related quantities. The 
assertion of the theorem follows from the combination of Corollarv I2.2.14| 
Remark Lemma EZTM and Eqs. ([MD, and 

For any p G Vc, Eq. (j3.4p means that \\p{z) — p\\ < a with probability 
1 — p{a,m). When ||/5(z) — p\\ > a, the distilled key pair trivially satisfies 

II z z,mix ^ z 11^1 

2\\PSaSbCE - PsaSb ^ ^c-eII ^ ^■ 
On the other hand, when ||/o(z) — p\\ < a, Eq. (j3.10p implies 

£iz) < h'^1\p^e\B) - kiz) - 21og(3/2e) 



(3.10) 
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by using Lemma l2.2.10[ Thus the distilled key satisfies 

"'"II z z,mix ^ z II ^ I r 

^WpsaSbCE - PsaSb ® PceII < e + 

by Corollary 12.2.141 Remark l2.2.15l and the assumption that the IR proce- 
dure is (5-universally-correct for the class of distribution {PxY,p '■ ||/5(z) — 
p\\ < a}. Averaging over the sample sequence z E Q, "we have the assertion 
of the theorem. □ 



From Eq. ()3.10p . we find that the estimator H.z.{X\E) of Eve's ambiguity 
and the syndrome rate for the IR procedure are the important factors 
to decide the key generation rate In the next section, we investigate 
the asymptotic behavior of the key generation rate derived from the right 
hand side of Eq. (|3l^ . 

Remark 3.4.4 The acceptable region Q C Z"^ is defined as follows: Each 
z G Z"^ belongs to Q if and only if the right hand side of Eq. (jS.lOp is 
positive. 

Remark 3.4.5 By switching the role of Alice and Bob, we obtain a post- 
processing with the so-called reverse reconciliatioij^. On the other hand, 
the original procedure is usually called the direct reconciliation. 

In the reverse reconciliation. Bob sends syndrome My to Alice, and 
Alice recovers the estimate y of Bob's sequence. Then, Alice and Bob's 
final keys are sa = /(y) and sb = /(y) for a randomly chosen function 
/ : F2 ^ {0, from a universal hash family. 

For the postprocessing with the reverse reconciliation, we can show al- 
most the same statement as Theorem 13.4.31 by replacing H2,{X\E) with 
Hz{Y\E), which is defined in a similar manner as H2,{X\E), and by using 
(5-universally-correct for the reverse reconciliation. 

In Section 13.61 we will show that the asymptotic key generation rate of 

'■'The reverse reconciliation -was originally proposed by Maurer in the classical key 
agreement context [Mau93] . 
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the reverse reconcihation can be higher than that of the direct reconcihation. 
Although the fact that the asymptotic key generation rate of the direct 
reconciliation and the reverse reconciliation are different is already pointed 
out for QKD protocols with weak coherent states |BBL05t |Hay07| , it is new 
for the QKD protocols with qubit states. 

Remark 3.4.6 Although Alice and Bob conducted the (direct) IR proce- 
dure for the pair of bit sequence (x, y ) in the postprocessing explained so far, 
Alice can locally conducts a (stochastic) preprocessing for her bit sequence 
before conducting the IR procedure. Surprisingly, Renner et al. |RGK051 
IRen05l IKGR05j found that Alice should add noise to her bit sequence in 
some cases, which is called the noisy preprocessing. In the postprocessing 
with the noisy preprocessing, Alice first flip each bit with probability q and 
obtain a bit sequence u. Then, Alice and Bob conduct the IR procedure 
and the PA procedure for the pair (u,y). Renner et al. found that, by ap- 
propriately choosing the value q, the key generation rate can be improved. 

3.4.3 Asymptotic Key Generation Rate of The Six-State 
Protocol 

In this section, we derive the asymptotic key generation rate formula for the 
six-state protocol. As we have seen in Section [3.4.11 the estimator Hz{X\E) 
converges to the true value Hp{X\E) in probability as m goes to infinity. 
On the other hand, Theorem 13.3.21 implies that it is sufficient to set the rate 
of the syndrome so that 

^>mmHJX\Y) (3.11) 
n 

for sufficiently large n, where Hg{X\Y) is the conditional entrop}0 for the 
random variables {X, Y) that are distributed according to PxY,g, and the 
minimization is taken over the set {g : ||/5(z) — < a}. Since the ML 
estimator p{z) is a consistency estimator of p, we can set the sequence 

^"Equivalently, we can regard Hg{X\Y) as the quantum conditional entropy for the 
classical density operator qxy- 
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of the syndrome rates so that it converges to Hp{X\Y) in probability as 
m,n ^ oo. Therefore, we can set the sequence of the key generation rates 
so that it converges to the asymptotic key generation rate formula 

Hp{X\E) - Hp{X\Y) (3.12) 

in probabihty as m, n ^ oo. 

Similarly for the postprocessing with the reverse reconciliation, we can 
set the sequence of the key generation rates so that it converges to the 
asymptotic key generation rate formula 

Hp{Y\E)-Hp{Y\X). (3.13) 



3.4.4 Asymptotic Key Generation Rate of The BB84 Pro- 
tocol 

In this section, we derive the asymptotic key generation rate formula for the 
BB84 protocol. As we have seen in Section [3.4.11 the estimator H2[X\E) 
converges to the true value min^g-p^(^) Hg[X\E) in probability as m goes to 
infinity. On the other hand, Theorem 13.3.21 implies that it is sufficient to 
set the rate of the syndrome so that 

^>uimH^{X\Y) (3.14) 
n 

for sufficiently large n, where H^^{X\Y) is the conditional entropy for the 
random variables {X,Y) that are distributed according to Pxy,uj, and the 
minimization is taken over the set {uj' : ||u)(z) — 6<j'|| < a}. Since the ML 
estimator uj{z) is a consistency estimator of uj, we can set the sequence 
of the syndrome rates so that it converges to H^{X\Y) in probability as 
m,n ^ oo. Therefore, we can set the sequence of the key generation rates 
so that it converges to the asymptotic key generation rate formula 

min Hq{X\E) - H^{X\Y). (3.15) 
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Similarly, for the postprocessing with the reverse reconciliation, we can 
set the sequence of the key generation rates so that it converges to the 
asymptotic key generation rate formula 

min H,{Y\E)-H^{Y\X). (3.16) 

Although the asymptotic key generation rate formulae for the six-state 
protocol (Eqs. (j3.12p and p.l3p l do not involve the minimization, the 
asymptotic key generation rate formulae for the BB84 protocol (Eqs. (|3.15|) 
and (j3.16p ) involve the minimization, and therefore calculation of these for- 
mula is not straightforward. The following propositions are very useful for 
the calculation of the asymptotic key generation rate of the BB84 protocol. 



Proposition 3.4.7 For two Choi operators /0^,p^ G Vc and a probabilis- 
tically mixture p' := + (1 — A)p^, Eve's ambiguity is convex, i.e., we 
have 

Hp,{X\E) < XHp.{X\E) + (1 - \)Hp2{X\E), 
where p'^E is {cg}-state derived from a purification V'abe p'ab- 

Proof. For r = 1 and 2, let ip^^^ ^ purification of the p^^- Then the 
density operator p^c b is derived by Alice's measurement by z-basis and the 
partial trace over Bob's system, i.e.. 



J^(|x)(x|®/)VW(k)(2;|®/) 



(3.17) 



PxE = TrB 
Let 

be a purification of p^^, where TCr is the reference system, and {|1), |2)} is 
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an orthonormal basis of 7iR. Let 



p'xER ■= Trs 



(3.18) 



and let 



PxER '■— 

re{l,2} 

= Ap^s®|l)(l| + (1-A)p^£;0|2)(2| 



be the density operator such that the system Ti.R is measured by {|1), |2)} 
basis. Then we have 



Hp,{X\ER) 

= H{X)-Ip,{X;ER) 
< H{X)-Ip*{X-ER) 
= Hp,{X\ER) 

= XHpi{X\E) + {l-X)Hp2{X\E), 

where the inequality follows from the monotonicity of the quantum mutual 
information for measurements (data processing inequahty) |Hay06| . By 
renaming the systems ER to E, we have the assertion of the lemma. □ 



Remark 3.4.8 In a similar manner, we can also show the convexity 

Hp,iY\E) < \Hp.{Y\E) + (1 - \)Hp.{Y\E) 

under the same condition as in Proposition 13.4.71 

The following proposition reduces the number of free parameters in the 
minimization of Eqs. (|3.15p and (|3.16p . 
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Proposition 3.4.9 For the BB84 protocol, the minimization in Eqs. (I3.15P 
and ()3.16p is achieved by Choi operator q whose components i?zy; -Rxy, Ryz, 
i?yx, and ty, are all 0. 

Proof. The statement of this proposition easily follows from Proposition 
I3.4.7[ We only prove the statement for Eq. (j3.15p because the statement for 
Eq. (j3.16p can be proved exactly in the same manner. 

For any q € Vc{u), let g be the complex conjugate of g. Note that 
eigenvalues of density matrices are unchanged by the complex conjugate, 
and thus Eve's ambiguity Hg{X\E) for g equals to Hg{X\E). By applying 
Proposition 13.4.71 for = Q, p'^ = g, and A = ^ , we have 

H,,iX\E) < \H,iX\E) + ^H-,iX\E), 

where g' = ^g + ^g- Note that the Stokes parameterization of g is given by 

^ Rzz Rzx Rzy 

Rxz Rxx -^xy 7 

\ _ Ryz -^yx ^yy 

Therefore, the components, Rzy, Rxy, Ryz, Ryx, and ty, of the Stokes param- 
eterization of g' are all 0. Since Vc{i^) is a convex set, g' E Vd^j). Since 
g S Vc{^^) was arbitrary, we have the assertion of the proposition. □ 



tz 






tx 













The following proposition can be used to calculate a lower bound on the 
asymptotic key generation rate of the BB84 protocol. 

Proposition 3.4.10 For the BB84 protocol, we have 
min HJX\E) 
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and 



min HJYIE) 



>l-h 



1 + 4 



where dz and are the singular values of the matrix 



i?zz ^zx 
^xz Rxx 



(3.21) 



for w := {Rzz, Rzx, Rxz, Rxx,tz,ty). The equalities in Eqs. (|3.19p and (j3.20p 
hold if tz = t^ = 0. 



Proof. We only prove the statement for Eq. (j3.19p because the statement 
for Eq. (j3.20p is proved exactly in a similar manner. By Proposition 13.4.9} 
it suffice to consider the Choi operator q of the form 



Rzz 


Rzx 







tz 


Rxz 


Rxx 







tx 








i?yy _ 




_ 



Define another Choi operator g := {ay ^ cry)Q{ay cfy) and the mixed one 
g' := ^g+ • Since the Stokes parameterization of g~ is 



Rzz 


Rzx 







" -tz ' 




Rxz 


Rxx 







-tx 


) 








i?yy _ 










the vector part (of the Stokes parameterization) of g' is zero vector, and the 
matrix part (of the Stokes parameterization) of g' is the same as that of g. 
Furthermore, since Hg{X\E) = Hg-{X\E), by using Proposition 13.4.71 we 
have 



H,{X\E) > H,,{X\E). 
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The equaUty holds if tz = ix = 0. 

The rest of the proof is to calculate the minimization of Hgr{X\E) with 
respect to Ryy. By the singular value decomposition, we can decompose the 
matrix R' corresponding to the Choi operator g' as 



Oo 





4 



R 



yy 



Oi, 



where Oi and O2 are some rotation matrices within z-x-plane, and \dz\ and 
\dx\ are the singular value of the matrix in Eq. (j3.2ip . Then, we have 



mm H^>{X\E) 



mm 

-Rvv 



1 - Hie') + 



X&2 



1 - max Qz, Qx, ^y] + h 

Ryy 



1 + ^R2^ + Rl 



1 - h{q\ + gz) - h{q\ + q^) + h 



1 + ,/RlTRl 



where {q\, qz, Qx, Qy) are the eigenvalues of the Choi operator g', and g'§ := 
2Tr^[(|x)(x| 0l)g']. Note that we used Eq. (j2.5p to calculate the von Neu- 



mann entropy H{g'^). By noting that q\ + q^ 



and q\+qx = ^-^^ (see 



Eqs. ({3:12]) and (fOg]) !. we have the statement for Eq. (f3T9]) . 



□ 



The following lemma shows that the function 



G{uj) := min HJX\E) 



(3.22) 



is a continuous function of lo, which we suspended in Section [3.4. 11 



Lemma 3.4.11 The function G(uj) is a continuous function of lv (with 
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respect to the Euchdean distance) for any uj £ Q. 
Proof. Owing to Proposition 13.4.91 we have 

G(uj) = min Hp(X\E), 

where q = (w, 0, 0, 0, 0, i?yy , 0) and 'P'^{uj) is the set of all Ryy such that 
(a;,0,0,0,0,i?yy,0) G Vc{oo). 

Since the conditional entropy is a continuous function, the following 
statement is suffice for proving that is continuous function at any 

ojQ G il. For any G such that \\uj — ujq\\ < e, there exist e',e" > such 
that 

V'.iu;) C e.'(^cK)), (3.23) 
V'.iivo) C Be^mu)), (3.24) 

and e' and e" converge to as e goes to 0, where ;S£/('P^(c<Jo)) is the e'- 
neighbor of the set V'^{ujo). 

Define the set "P" := {{u!,Ryy) : uj G VL,Ryy G 'P^(a;)}, which is a closed 
convex set. Define functions 

Uioj) := max i?vv: 
L(uj) := min R^y 

as the upper surface and the lower surface of the set V'^ respectively. Then 
U{uj) and L{uj) are concave and convex functions respectively, because V'^ 
is a convex set. Thus, U{uj) and L{uj) are continuous functions except the 
extreme points of fi. For any extreme point uj' of 17 and for any interior 
point u) of O, we have U{u)) > U{uj') and L{ijj) < L{uj'), because is 
a convex set. Since V" is a closed set, we have li'ni^_^^^/ U {u) G Vd^^') 
and lim^^^/ L{uj) G V'^uj'), which implies that U{uj') = lim^^^^/ U{uj) and 
L{u;') = lim^_^i^i L{u)). Thus ^7(^1;) and L{uj) are also continuous at the 
extreme points. Since V'^oj) is a convex set, the continuity of U{uj) and 
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L{uj) implies that Eqs. (|3.23p and (|3.24p hold for some e', e" > 0, and e' and 



3.5 Comparison to Conventional Estimation 

In this section, we show the conventional channel estimation procedure, and 
the asymptotic key generation rate formulas with the conventional channel 
estimation. Then, we show that the asymptotic key generation rates with 
our proposed channel estimation are at least as high as those with the 
conventional channel estimation for the six-state protocol (Theorem I3.5.ip 
and the BB84 protocol (Theorem 13. 5. 5p respectively. 

In the conventional channel estimation procedure, Alice and Bob discard 
those bits if their bases disagree. Furthermore, they ignore the difference 
between {x,y) = (0,1) and {x,y) = (1,0). Mathematically, these discarding 
and ignoring can be described by a function g : Z ^ Z := ¥2 x J' x J' 
defined by 



where F2 := F2 U {A} and A is a dummy symbol indicating that Alice and 
Bob discarded that sample bit. 

3.5.1 Six-State Protocol 

In the conventional estimation, Alice and Bob estimate p £ Vc from the 
degraded sample sequence g{z) := {g{zi), . . . , g{zm))- Although the Choi 
operator p is described by 12 real parameters (in the Stokes parameteriza- 
tion), from Eqs. (j2.7p and (j2.8p . we find that the distribution 



e ' converge to as e goes to 0. 



□ 




Pp{~z) = Pp{{z G Z : g{z) = ~z]) 
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of the degraded sample symbol z ^ Z only depends on the parameters 7 = 

(i2zz; -Rxxi -Ryy)) and does not depend on the parameters k = {Rzx, Rzy,Rxz, Rxy,Ryz, Ryx, tz,tx, ty) 

Therefore, we regard the set 

r := {7 G : 3k e M.^ (7, k) G 

as the parameter space, and denote Pp by P^. Then, we estimate the pa- 
rameters 7 by the ML estimator: 

7(z) := argmaxPl"(z) 
7er 

for z e Z™. 

Since we cannot estimate the parameters k, we have to consider the 
worst case, and estimate the quantity 



min HJXIE) 

fe^c(7) 

for a given 7 £ T, where the set 

Veil) ■■={0 = {l',i^')eVc: 7' = 7} 



is the candidates of Choi operators for a given 7 G F. 

By following similar arguments as in Sections 13.4.11 13.4.21 and 13.4.31 we 
can derive the asymptotic key generation rate formula of the postprocessing 
with the direct reconciliation 

imn [H,iX\E) - H,{X\Y)]. (3.25) 

We can also derive the asymptotic key generation rate formula of the post- 
processing with the reverse reconciliation 

min [H,{Y\E) - H,{Y\X)]. (3.26) 



Since Eqs. (|3.25|) and (|3.26|) involves the minimizations, we have the 
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following straight forward but important theorem. 

Theorem 3.5.1 The asymptotic key generation rates for the direct and 
the reverse reconciliation with our proposed channel estimation procedure 
(Eqs. (j3.12p and (jS.lSp ) are at least as high as those with the conventional 
channel estimation procedure (Eqs. (|3.25p and (j3.26p ) respectively. 

The following proposition gives an explicit expression of Eqs. (j3.25p and 
()3.26p for any Choi operator. The following proposition also clarifies that the 
asymptotic key generation rates of the direct and the reverse reconciliation 
coincide for any Choi operator if we use the conventional channel estimation 
procedure. Although the following proposition is implicitly stated in the 
literatures [RGKOSl IRenOSl [KGR05] . we present it for readers' convenience. 



Proposition 3.5.2 For any p = (7, r) e Vc, we have 

mm \H,{X\E)-H,{X\Y)] (3.27) 

= mm \H,{Y\E)-H,{Y\X)] (3.28) 

= 1 - i7[pi,Pz,Px,Py], (3.29) 

where the distribution {p\,Pz,Px,Py) is given by 



Pi = 


1 + Rzz 


+ Rxx 


+ -Ryy 




4 




Pz = 


l + Rzz 


Rxx 


— -Ryy 




4 




Px = 


l-Rzz 


+ Rxx 


— -Ryy 




4 




Py = 


l-Rzz 


— Rxx 


+ -Ryy 




4 





Proof. We only prove the equality between Eqs. (I3.27P and (I3.29p . because 
the equality between Eqs. (|3.28p and (j3.29p can be proved exactly in the 



same manner. 
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For any q G Vc{i), let := (o-z®o-z)e'(o-z'^crz), := {cfx® a^) Q{ay,® a^) , 
and := {ay cry)g{ay ® o"y). Then, g^, g^, and also belong to the set 
Veil)- Define the (partial) twirlecJ^ Choi operator 

:=lg + lg^ + \g^ + \g^. 

Then, the convexity of Vc{"i) implies g^"^ G Vd'j), and we can also find 
that the vector components (in the Stokes parameterization) of is the 
zero vector and the matrix components (in the Stokes parameterization) 
of g^^ is the diagonal matrix with the diagonal entries i?zz; Rxx, and Ryy. 
Furthermore, we find that g^^ = p^'" for any g £ T'd'y)- 

By using Proposition 13.4.71 (twice) , we have 
min [H,iX\E) - H,{X\Y)] 



> Hptm{X\E) 

= l-H{g''")+Y,\H{gT) 



2 

XGF2 



1 - iJ[gi,gz,9x,g'y] +h(^ 



l + i?z 



(3.30) 



where := 2Tia[{\x){x\ 0/)^*"']. 

In a similar manner as in Remark 13.3.31 we have 

H,{X\Y) < H,{W) = Hpt^iW) = h (^-^) (3.31) 

for any g G T'd'y), where Hg{W) is the entropy of the random variable W 
whose distribution is 

PwA^) ■= X] ^xyAv + '^^y)■ 
ye¥2 



'^^The (partial) twirling wEis a technique to convert any bipartite density operator into 
the Bell diagonal state (see Section 14.5.11 for the definition of the Bell diagonal state) . 
The (partial) twirling was first proposed by Bennett et al. |BDSW96] . 
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Combining Eqs. (I3.30p and (I3.3ip . we have the equahty between Eqs. (j3.27p 



Remark 3.5.3 As we can find in the proof of Proposition 13. 5. 2} the use of 

the IR procedure (with the Unear Slepian-Wolf coding) proposed in Section 
13.31 and the use of the IR procedure (with the error correcting code) pre- 
sented in Remark 13.3.31 make no difference to the asymptotic key generation 
rate if we use the conventional channel estimation procedure. 

Remark 3.5.4 It should be noted that Eq. (j3.29|) is the well known asymp- 
totic key generation rate formula |Lo01| . which can be derived by using the 
technique based on the CSS code (See Section 11.11 for the CSS code tech- 
nique) . 

3.5.2 BB84 Protocol 

In the conventional estimation, Alice and Bob estimate p £ Vc from the 
degraded sample sequence g{z) := {g{zi), . . . , g{zm))- Although the Choi 
operator p is described by 12 real parameters (in the Stokes parameteriza- 
tion), from Eqs. (j2.7p and (j2.8p . we find that the distribution 



of the degraded sample symbol z £ Z only depends on the parameters v = 

{Rzz, Rxx), and does not depend on the parameters ? = (-Rzx, Rzy, Rxz, Rxy, Ryz, Ryx, Ryy, tz, tx, ty)- 

Therefore, we regard the set 



as the parameter space, and denote Puj by Py. Then, we estimate the 
parameters v by the ML estimator: 



and ([3:29]) . 



□ 



PU^) = PUU 2 ■■ 9iz)=z}) 



T := {z; G : 3? G M^°, {v, ?) S Vc} 



viz 







argmax (z) 
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for z G i"^. 

Since we cannot estimate the parameters we have to consider the 
worst case, and estimate the quantity 

min HJXIE) 

for a given v ^ v, where the set 

Vc{v) ■.= {Q = {v\q')(^Vc: v' = v} 

is the candidates of Choi operators for a given u € T. 

By fohowing similar arguments as in Sections 13.4.11 13.4.21 and 13. 4. 4^ we 
can derive the asymptotic key generation rate formula of the postprocessing 
with the direct reconciliation 



unn \H,{X\E)-H,{X\Y)]. (3.32) 

Q&Vc{v) 

We can also derive the asymptotic key generation rate formula of the post- 
processing with the reverse reconciliation 

mm \H,{Y\E)-H,{Y\X)]. (3.33) 

Since the range Vc{oj) of the minimizations in Eqs. (|3.15p and (j3.16p is 
smaller than the range Vc{v) of the minimizations in Eqs. (j3.32p and (j3.33p . 
we have the following obvious but important theorem. 



Theorem 3.5.5 The asymptotic key generation rates for the direct and 
the reverse reconciliation with our proposed channel estimation procedure 
(Eqs. (j3.15p and (j3.16p ) are at least as high as those with the conventional 
channel estimation procedure (Eqs. p.32p and (|3.33p ) respectively. 

The following proposition gives an explicit expression of Eqs. (|3.32p and 
()3.33p for any Choi operator. The following proposition also clarifies that the 
asymptotic key generation rates of the direct and the reverse reconciliation 
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coincide for any Choi operator if we use the conventional channel estimation 
procedure. Although the following proposition is implicitly stated in the 
literatures |RGK05[ IRenOSl IKGR05] . we present it for readers' convenience. 



Proposition 3.5.6 For any p = (f,?) € Vc, we have 



min [H,{X\E)-H,{X\Y)] (3.34) 

q£Vc(v) 

= Tcan \H,{Y\E)-H,{Y\X)] (3.35) 

= ,^4l±IA^Jl±M. (3.30) 



Proof. This proposition is proved in a similar manner as Proposition 13 . 5 . 2l 
Therefore, we omit the proof. □ 



Remark 3.5.7 It should be noted that the same remark as Remark 13.5.31 
also holds for the BB84 protocol. 

Remark 3.5.8 It should be noted that Eq. ()3.36p is with the well known 
asymptotic key generation rate formula [SPOOj . which can be derived by 
using the technique based on the CSS code (See Section 11.11 for the CSS 
code technique). 



3.6 Asymptotic Key Generation Rates for Specific 
Channels 

In this section, we calculate the asymptotic key generation rates of the BB84 
protocol and the six-state protocol for specific channels, and clarify the ad- 
vantage to use our proposed channel estimation instead of the conventional 
channel estimation. 
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3.6.1 Amplitude Damping Channel 

When the channel between Alice and Bob is an amplitude damping channel, 
the Stokes parameterization of the corresponding density operator pp € Vc 
is 



1 -p 






p 






(3.37) 



where < p < 1. 

For the six-state protocol, since there are no minimization in Eqs. (j3.12p 
and (|3.13p . there are no difficulty to calculate Eqs. (j3.12p and (j3.13p . 

Next, we consider the BB84 protocol. For w = (1 — p, 0, 0, ^1 — p,p, 0), 
Eqs. p.lSp and (|3.16p can be calculated as follows. By Proposition l3.4.9i it is 
sufficient to consider q G Vd'-^) such that R^y = R^y = R 
Furthermore, by the condition on the TPCP map |FA99] 



Uyz 



R 



■yx 



0. 



(R. 



R 



■yy) 



< il-R,,f-tl 



we can decide the remaining parameter as Ryy = y/1 — p. Therefore, Eqs. (I3.15P 
and (j3.16p coincide with the true values respectively. Furthermore, the 
asymptotic key generation rates for the BB84 protocol coincide with those 
for the six-state protocol. 

The asymptotic key generation rates for the direct and the reverse rec- 
onciliations can be written as functions of the parameter p: 



h 



1+p 



h 



p 



and 



(3.38) 



(3.39) 



respectively. They are plotted in Fig. 13. 1[ 

From Fig. \3.1\ we find that the asymptotic key generation rate with 
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the reverse reconcihation is higher than that with the forward reconciha- 
tion. Actually, they are analyzed in detail as follows. By a straightforward 
calculation, we have 

Hp{X\E) = l + h{p)-h[^) 
= H,{XY)-hQ 

and 

= H,iXY)-h{£l, 

where Hp{XY) is the entropy of the random variables with distribution 
PxY,p- Therefore, the difference between the asymptotic key generation rate 
with the forward and the reverse reconciliations comes from the difference 
between Hp{X\Y) and Hp{Y\X)^ which is equal to the difference between 
Hp{Y) and Hp{X) = 1. Note that Hp{Y) goes to as p ^ 1. 

The Bell diagonal entries of the Choi operator pp are \{2 + 2y/l — p — p), 
jP, i(2 — 2-^1 —p — p), and ^p. When Alice and Bob only use the degraded 
statistic, i.e., when Alice and Bob use the conventional channel estimation, 
the asymptotic key generation rates of the six-state protocol and the BB84 
protocol can be calculated only from the Bell diagonal entries (Propositions 
13.5.21 and I3.5.6P , and are also plotted in Fig. 13.11 

Remark 3.6.1 As is mentioned in Remark 13.4.61 there is a possibility to 
improve the asymptotic key generation rate in Eq. (j3.12p by the noisy pre- 
processing. If a {ccg}-state pxYE derived from a Choi operator p £ Vc 
satisfies the condition below, we can show that the noisy preprocessing does 
not improve the asymptotic key generation rate. 
We define a {ccg}-state 

PXYE= ^ PxYix,y)\x,y){x,y\ ^ p""^^ 
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0.2 0.4 0.6 0.8 1.0 

Parameter p 

Figure 3.1: Comparison of the asymptotic key generation rates against the 
parameter p of the amplitude damping channel (see Eq. (j3.37p ). "Reverse" 
and "Direct" are the asymptotic key generation rates when we use the re- 
verse reconciliation and the direct reconciliation with our channel estimation 
procedure (Eqs. ()3.39p and (13.380 ) respectively. "Conventional six-state" 
and "Conventional BB84" are the asymptotic key generation rates of the 
six-state protocol and the BB84 protocol with the conventional channel es- 
timation procedure. Note that the protocols with the conventional channel 
estimation procedure involves the noisy preprocessing [RGK051 IKGR05] in 
the postprocessing. 
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to be degradable statqlj (from Alice to Bob and Eve) if there exist states 
{PclyGFa satisfying 

for any x S F2. If a {ccg}-state pxYE derived from a Choi operator p is 
degradable, then the asymptotic key generation rate in Eq. (j3.12p is optimal, 
that is, it cannot be improved by the noisy preprocessing. 

The above statement is proved as follows. Even if we know the Choi 
operator p in advance, the asymptotic key generation rate of any postpro- 
cessing is upper bounded by the quantum intrinsic information^^! 

Ip{X-Y [E) ■.= iuiI,{X-Y\E'), 

where 

Ip{X- Y\E') := Hp{XE) + Hp{YE) - Hp{XYE) - Hp{E) 

is the quantum conditional mutual information, and the infimum is taken 
over all {ccg}-states pxYE' = iid(dAfE^E')ipxYE) for CPTP maps A/'e_»_e' 
from system E to E' jCEH"'"07] . Taking the identity map id^;, the quantum 
conditional mutual information Ip{X;Y\E) itself is an upper bound on the 
asymptotic key generation rate for any postprocessing. 

Since we are now considering the postprocessing in which only Alice 
sends the public message, the maximum of the asymptotic key generation 
rate only depends on the distribution Pxv and {cg}-state pxE- Thus the 
maximum of the asymptotic key generation rate for pxY E is equals to that 



^^The concept of the degradable state is an analogy of the degradable channel |DS05j . 
For the degradable channel, the quantum wire-tap channel capacity [Dev05] is known to 
be achievable without any auxiliary random variable I SmiOS i IHay06J . 

^^It is the quantum analogy of the intrinsic information proposed by Maurer and Wolf 
|MW99) . 
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for degraded version of it, 

PXYE ■■= ^PxY{x,y)\x){x\ ® \y){y\ ® p^.. 
x,y 

Applying the above upper bound Ip{X;Y\E) for the degraded {ccg}-state 
PXYE, the maximum of the asymptotic key generation rate is upper bounded 
by 

Ip{X;Y\E) 

= Ip{X;YE)-Ip{X;E) 

= Hp{X\E)-H{X\Y)+Ip{X-E\Y) 

= Hp{X\E) - H{X\Y), 

which is the desired upper bound, and equals to Eq. (|3.12|) . 

For the amplitude damping channel, we can show that the {ccg}-state 
PXYE is degradable by a straightforward calculation. Therefore, the asymp- 
totic key generation rate in Eq. (j3.12p is optimal for the amplitude damping 
channel. 

Although we exclusively considered a key generated from the bit se- 
quences transmitted and received by the z-basis, we can also obtain a key 
from the bit sequences transmitted and received by the x-basis (or the y- 
basis for the six-state protocol). In this case, the asymptotic key generation 
rates are also given by Eqs. (|3.12p . (j3.13p . (|3.15p . and (|3.16p . where the 
definition of the {cgj-state pxE and the distribution Pxy must be replaced 
appropriately. 

For the amplitude damping channel, the asymptotic key generation 
rates for the forward and the reverse reconciliations can be written as func- 



By the symmetry of the amphtude damping channel for the x-basis and the y-basis, 
the asymptotic key generation rates for the y-basis are the same as those for the x-basis 
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tions of the parameter p: 



1 + h 



( 



1 + ^/l - p + p- 
2 




(3.40) 



and 




) 



(3.41) 



respectively. They are plotted in Fig. 13.21 and compared to the asymptotic 
key generation rates with the conventional channel estimation. 

From Fig. 13.21 we find that the asymptotic key generation rate with 
the reverse reconciliation is higher than that with the forward reconcilia- 
tion. Although the difference between the asymptotic key generation rate 
with the forward and the reverse reconciliations comes from the difference 
between Hp{X\Y) and Hp{Y\X) in the case of the z-basis, the difference be- 
tween the asymptotic key generation rate with the forward and the reverse 
reconciliations comes from the difference between Hp{X\E) and Hp{Y\E), 
because Hp{X\Y) = Hp(Y\X) in the case of the x-basis. 

3.6.2 Unital Channel and Rotation Channel 

A channel is called a unital channel if £b maps the completely mixed state 
1/2 to itself, or equivalently the corresponding Choi operator p £ Vc satis- 
fies Tr^[p] = 1/2. In the Stokes parameterization, a unital channel {R,t) 
satisfies that t is the zero vector. The unital channel has the following 
physical meaning in QKD protocols. When Eve conducts the Pauli cloning 
|CerOO) with respect to an orthonormal basis that is a rotated version of 
{|0z), |lz)}i the quantum channel from Alice to Bob is not a Pauli channel 
but a unital channel. It is natural to assume that Eve cannot determine the 
direction of the basis {|0z), |lz)} accurately, and the unital channel deserve 
consideration in the QKD research as well as the Pauli channel. 

By the singular value decomposition, we can decompose the matrix R 
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Parameter p 



Figure 3.2: Comparison of the asymptotic key generation rates against the 
parameter p of the amphtude damping channel (see Eq. (j3.37p ) for a key 
generated from the bit sequences transmitted and received by the x-basis. 
"Reverse" and "Direct" are the asymptotic key generation rates when we use 
the reverse reconciliation and the direct reconciliation with our channel esti- 
mation procedure (Eqs. (j3.4ip and (|3.40p ) respectively. "Conventional six- 
state" and "Conventional BB84" are the asymptotic key generation rates of 
the six-state protocol and the BB84 protocol with the conventional channel 
estimation procedure. Note that the protocols with the conventional chan- 
nel estimation procedure involves the noisy preprocessing |RGK05[ IKGROSj 
in the postprocessing. 
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of the Stokes parameterization as 





ez 










02 





ex 





Oi 










ey . 





(3.42) 



where Oi and O2 are some rotation matricea^^l. and |ez|, |ex|, and |ey| are the 
singular value of the matrix ij^. Thus, we can consider the unital channel 
as a composition of a unitary channel, a Pauli channel 

q\p + qzC^zPCfz + QxCTxPf^x + QyCfypay, 
and a unitary channel |BW04] . where 



l+ez 


+ex+ey 
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1+ez 






4 


1-ez 


+ex-ey 
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1-ez 





(3.43) 



For the six-state protocol, we can derive simple forms of Hp{X\E) and 
Hp{Y\E) as follows. 

Lemma 3.6.2 For the unital channel, we have 

Rlz + R'xz + R'yz\ 

Hp{X\E) = 1 - H[quqz, qx, qy] + h \ ] (3.44) 



and 



Hp(Y\E) = 1 - H[q;,q,,q,,qy] + h 



1 + JRI, + Rl^ + R% 



(3.45) 



^^The rotation matrix is the real orthogonal matrix with determinant 1. 

^^The decomposition is not unique because we can change the order of (cz, fix, ey) or the 
sign of them by adjusting the rotation matrices Oi and 02- However, the result in this 
paper does not depends on a choice of the decomposition. 
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Proof. We omit the proof because it can be proved in a similar manner as 
the latter half of the proof of Proposition I3.4.10[ □ 
From this lemma, we can find that R'^^+Ry^ = R^x+^zy is the necessary and 

sufficient condition for Hp(X\E) = Hp{Y\E). Furthermore, we can show 
Hp{X\Y) = Hp{Y\X) = h{{l + i?zz)/2) by a straightforward calculation. 



For the BB84 protocol, Vc{uj) consists of infinitely many elements in 
general. By using Proposition 13.4.101 we can calculate Eve's worst case 
ambiguity as 



min HJX\E) 



1-h 



1 + 4 



hl '-±^)+h r-±y^^±^] (3.46) 



and 



min HJY\E) 



1-h 



1 + dz 



,^l±^]^Jl±VK±K\, (3.47) 



where dz and are the singular values of the matrix 



i?77 Ry 



From 



-^xz ^xx 

these formulae, we find that i?xz = Rzx is the necessary and sufficient 
condition for m.mg^p^(^i^-^ Hg{X\E) coincides with minpg-p^(^) iJg(y|i?). It 
should be noted that the singular values {dz,dx) are different from the sin- 
gular values (I Cz I, I ex I) in general because there exist off-diagonal elements 
{Rzy, Rxy, Ryz, Ryx}- By a straightforward calculation, we can show that 
HUX\Y) = HUY\X) = hi{l + Rzz)/2). 



In the rest of this section, we analyze a special class of the unital channel, 
the rotation channel, for the BB84 protocol. The rotation channel is a 
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channel whose Stokes parameterization is given by 



cos — sin ■!? 
sin t9 cos t9 
1 









The rotation channels occur, for example, when the directions of the trans- 
mitter and the receiver are not properly aligned. 

For the rotation channel, Eq. (j3.46p gives ming^-p^^^^^ Hg{X\E) = 1, 
which implies that Eve gained no information. Thus, Eve's worst case am- 
biguity, mingg-p^(j^) Hg{X\E) coincide with the true value Hp{X\E), and the 
BB84 protocol can achieve the same asymptotic key generation rate as the 
six-state protocol. 

The reason why we show this example is that Alice and Bob can share 
a secret key with a positive asymptotic key generation rate even though 
the so-called error rate is higher than the 25% limit |GL03j in the BB84 
protocol. The Bell diagonal entries of the Choi operator p that corresponds 
to the rotation channel are cos^(t?/2), 0, 0, and sin^('!?/2). Thus the error 
rate is sin^('!9/2). For 7r/3 < i? < 57r/3, the error rate is higher than 25%, but 
we can obtain the positive key rate, 1 — /i(sin^('!9/2)) except i? = 7r/2,3-7r/2. 
Note that the asymptotic key generation rate in Eq. (|3.32|) is given by 
1 - 2/i(sin^(i?/2)). This fact verifies Curty et al's suggestion [CLL04j that 
key agreement might be possible even for the error rates higher than 25% 
limits. 



3.7 Condition for Strict Improvement 

So far, we have seen that the asymptotic key generation rates with our pro- 
posed channel estimation is at least as high as those with the conventional 
channel estimation (Section 13. 5p . and that the former is strictly higher than 
the latter for some specific channels (Section 13. 6|) . For the BB84 protocol, 
the following theorems show the necessary and sufficient condition such that 
the former is strictly higher than the latter is that the channel is a Pauli 
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channel. 

Theorem 3.7.1 Suppose that R^z / and i?xx / 0. In the BB84 pro- 
tocol, for the bit sequences transmitted and received by either z-basis or 
the x-basis, the asymptotic key generation rates with our proposed chan- 
nel estimation are strictly higher than those with the conventional channel 
estimation if and only if (tz^^x) 7^ (0)0) or {Rzx, Rxz) (0,0). 

Proof. We only prove the statement for the direct reconciliation, because 
the statement for the reverse reconciliation can be proved in a similar man- 
ner. 

"only if part Suppose that {tz,Q = (0,0) and {Rzx, Rxz) = (0,0). 
Then, Propositions 13.4.101 and 13.5.61 implies that Eq. (|3.15|) is equal to 
Eq. (j3.32p . Similarly, the asymptotic key generation rate for the x-basis 
with our proposed channel estimation is equal to that with the conventional 
channel estimation. 

"if part Suppose that tz ^ 0. Let g* be the Choi operator satisfying 
H,,{X\E) - H,,{X\Y) = min [H,{X\E) - H,{X\Y)]. 

Then, we have 

HAX\Y) = h{^-±^^=H^{W), 
where H^{W) is the entropy of the distribution defined by 

Then, tz 7^ and the arguments at the end of Remark 13.3.31 imply 



H^{X\Y) < H^{W). 
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Since 



min HJX\E)> min HJXlE) > H„*(X\E), 

Eq. ()3.15p is strictly higher than Eq. (j3.32p . In a similar manner, we can 
show that the asymptotic key generation rate for the x-basis with our pro- 
posed channel estimation is strictly higher that that with the conventional 
channel estimation if tx 7^ 0. 

Suppose that (iz,ix) = (0,0) and Rzx / 0. By using Proposition 13.4. 10} 
we have 



min H,{X\E) - HUX\Y) 



1-h 
+ h 



1 + d, 



h 



l+dx 



2 J \ 2 



l + i?z 



By the singular value decomposition, we have 

= B diag[(iz, dy\ A 



Rzz Rzx 
Rxz Rxx 





' dz 










dx 



l^z) \Ax) 



(3.48) 



{Bz\ 
{Bx\ 

(BM,) {BMx) 
{Bx\A,) {Bx\Ax) 



where A and B are the rotation matrices, and we set (A^l = (dz^zz, dxA^x) 
and {Ax\ = {dzAxz, dxAxx) ■ Erom Proposition I3.5.6| we have 



unn [H,{X\E) - H,{X\Y)] 



1 - h 



1 + {BMz 



1 + (^xl^x) 



(3.49) 



72 



Chapter 3. Channel Estimation 



Subtracting Eq. (j3.49p from Eq. (I3.48p . we have 



2 I \ 2 

n 



2 \ 2 



l + ll|Ax)ll \ . , / 1 + lll^z 



> h "' +h 



2 \ 2 



h 



2 



zz- \ 2 ) V 2 



- /i 

= 0, (3.50) 
where the second inequahty fohows from the concavity of the function 

which can be shown by a straight forward calculation. Thus, we have shown 
that Eq. (j3.15p is strictly higher than Eq. (j3.32p . In a similar manner, we 
can show that the asymptotic key generation rate for the x-basis with our 
proposed channel estimation is strictly higher that with the conventional 
channel estimation if i?xz 7^ 0. □ 
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3.8 Summary 

The results in this chapter is summarized as follows: In Section 13.21 we 
formally described the problem setting of the QKD protocols. 

In Section 13.31 we showed the most basic IR procedure with one-way 
public communication. We introduced the condition such the IR proce- 
dure is universally correct (Definition 13.3. 1|) . This condition was required 
because the IR procedure have to be robust against the fluctuation of the 
estimated probability of Alice and Bob's bit sequences. We also explained 
the conventionally used IR procedure with the error correcting code, and we 
clarified that the length of the syndrome that must be transmitted in the 
conventional IR procedure is larger than that in our IR procedure (Remark 
I3.3.3p . We showed how to apply the LDPC code with the sum product 
algorithm in our IR procedure (Remark 13. 3. 4p . 

In Section [3.4.11 we showed our proposed channel estimation procedure. 
We clarified a sufficient condition on the key generation rate such that 
Alice and Bob can share a secure key (Theorem I3.4.3p . and we derived the 
asymptotic key generation rate formulae. We developed some techniques 
to calculate the asymptotic key generation rates (Propositions 13.4.91 and 
I3.4.1UP for the BB84 protocol. 

In Section 13.51 we explained the conventional estimation procedure. 
Then, we derived the asymptotic key generation rate formulae with the 
conventional channel estimation. 

In Section 13.61 we investigated the asymptotic key generation rates for 
some examples of channels. We also introduced the concept of the degrad- 
able state, and we clarified that the asymptotic key generation rate in 
Eq. (|3.12p is optimal if the state shared by Alice, Bob, and Eve is degradable 
(Remark I3.6.ip . For the rotation channel, we clarified that the asymptotic 
key generation rate can be positive even if the error rate is higher than the 
25% limit (Section [M21)- 

Finally in Section [3.71 for the BB84 protocol we clarified the necessary 
and sufficient condition such that the asymptotic key generation rates with 
our proposed channel estimation is strictly higher than those with the con- 
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ventional channel estimation is that the channel is a Pauli channel. 



Chapter 4 

Postprocessing 



4.1 Background 

The postprocessing shown in Chapter [3] consists of the IR procedure and 
the PA procedure. Roughly speaking, Ahce and Bob can share a secret key 
with the key generation rate 

Hp{X\E) - H,{X\Y) (4.1) 

in that postprocessing. An interpretation of Eq. (j4.ip is that the key gen- 
eration rate is given by the difference between Eve's ambiguity about Al- 
ice's bit sequence subtracted by Bob's ambiguity about Alice's bit sequence. 
Therefore, when Eve's ambiguity about Alice's bit sequence is smaller than 
Bob's ambiguity about Alice's bit sequence, the key generation rate of that 
postprocessing is 0. 

In |Mau93] . Maurer proposed a procedure, the so-called advantage dis- 
tillation. The advantage distillation is conducted before the IR procedure, 
and the resulting postprocessing can have positive key generation rate even 
though Eq. (j4.ip is negative. Gottesman and Lo applied the advantage 
distillation to the QKD protocols |GL03j . In the QKD protocols, the post- 
processing with the advantage distillation was extensively studied by Bae 
and Acm [BA07j . 
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In this chapter, we propose a new kind of postprocessing, which can 
be regarded as a generahzation of the postprocessing that consists of the 
advantage distillation, the IR procedure, and the PA procedure. In our 
proposed postprocessing, the advantage distillation and the IR procedure 
are combined into one procedure, the two-way IR procedure. After the 
two-way IR procedure, we conduct the standard PA procedure. 

The rest of this chapter is organized as follows: In Section S21 we review 
the advantage distillation. Then in Section 14.31 we propose the two-way in- 
formation reconciliation procedure. In Section 14.41 we show a sufficient 
condition of the key generation rate such that Alice and Bob can share a 
secure key by our proposed postprocessing. In Section 14.51 we clarify that 
the key generation rate of our proposed postprocessing is higher than the 
other postprocessing by showing examples. Finally, we mention the rela- 
tion between our proposed postprocessing and the entanglement distillation 
protocols in Section 

4.2 Advantage Distillation 

In order to clarify the relation between the two-way IR procedure and the 
advantage distillation proposed by Maurer |Mau93j . we review the postpro- 
cessing with the advantage distillation in this section. For convenience, the 
notations are adapted to this thesis. We assume that Alice and Bob have 
correlated binary sequences x, y E F^" of even length. The pair of sequences 
(x, y) is independently identically distributed (i.i.d.) according to a joint 
probability distribution Pxy G 'P(F2 x F2). 

First, we need to define some auxiliary random variables to describe the 
postprocessing with the advantage distillation procedure. Let ^ : Fg ^ F2 
be a function defined as ^(ai, 02) := ai + 02 for ai, 02 € F2, and let ( ■.¥'2 ^ 
¥2 be a function defined as ({a, 0) := a and ({a, 1) := for a £ ¥2- For a pair 
of joint random variables {{Xi,Yi), {X2,Y2)) with a distribution, -P^y, we 
define random variables Ui := ^(Xi, X2), Vi := ^(Yi, I2) and Wi := Ui + Vi. 
Furthermore, define random variables U2 ■= C{^2, Wi), V2 := C(^2; Wi) and 
W2 := U2 + V2. For the pair of sequences, x = (xn, 3:12, . . . , Xni,Xn2) and 
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y = (yii,yi2, • • • ,yni,yn2), which is distributed according to let u, v 

and w be 2n-bit sequences such that 

Uii ■= ^{xii,Xi2), Vii := ^{yii,yi2), wn := un +Vii 

and 

Ui2 ■= C{Xi2,Wil), Vi2 := C{yi2,Wil), Wi2 := Ui2 + Vi2 

for 1 < i < n. Then, the pair (u,v) and the discrepancy, w between u and 
V are distributed according to the distribution Pij-^ij2ViV2WiW2' 

The purpose of the advantage distillation is to classify blocks of length 
2 according to the parity wn of the discrepancies in each block. When Pxy 
is a distribution such that Px is the uniform distribution and Py\x is a 
binary symmetric channel (BSC), the validity of this classification can be 
understood because we have 

H{Xi2\YaYi2,W^ = l) = l. 

This formula means that Alice have to send Xi2 itself if she want to tell Bob 
Xi2- Therefore, they cannot obtain any secret key from Xi2, and they should 
discard Xi2 if = 1. For general Pxy, the validity of above mentioned 
classification is unclear. For this reason, we employ a function which is more 
general than ^ in the next section. 

By using above preparations, we can describe the postprocessing with 
the advantage distillation as follows. First, Alice sends the parity sequence 
ui := (nil, . . . , to Bob so that he can identify the parity sequence 
wi := {wii, . . . ,Wni) of the discrepancies. Bob sends wi back to Alice. 
Then, they discard ui and vi := {vii,...,Vni) respectively, because ui 
is revealed to Eve. As the final step of the advantage distillation, Alice 
calculat^ the sequence U2 := {uu, ■ ■ ■ , Un2) by using x and wi. 



^Conventionally, Alice discard those blocks if w^i = 1. 
vert the second bit of those blocks into the constant Ui2 
equivalent to discarding those blocks. 



In our procedure, Alice con- 
= 0, which is mathematically 
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At the end of the advantage distillation, Alice has U2 and Bob has y 
and wi as a seed for the key agreement. By conducting the (one-way) IR 
procedure and the PA procedure for (u2,(y,wi)), Alice and Bob share a 
secret key. 

4.3 Two- Way Information Reconciliation 

In this section, we show the two-way IR procedure. The essential difference 
between the two-way IR procedure and the advantage distillation is that 
Alice does not send the sequence ui itself. As is usual in information theory, 
if we allow negligible error probability, Alice does not need to send the parity 
sequence, ui, to Bob to identify parity sequence ui. More precisely. Bob 
can decode ui with negligible decoding error probability if Alice sends a 
syndrome with a sufficient length. Since Eve's available information from 
the syndrome is much smaller than that from sequence Ui itself, Alice and 
Bob can use ui as a seed for the key agreement. 

First, we need to define some auxiliary random variables. As we have 
mentioned in the previous section, we use a function which is more gen- 
eral than Let XA,Xb be arbitrary functions from F2 to F2. Then, let 
^2 be a function defined as CA(ai;«2;03) := ai if XA(a2,a3) = 0, 
and (^74(01,02,03) := else. Let Cb ■ ^2 ^ ^2 be a function defined as 
CsibiMM) ■= h if Xb(&2,&3) = 0, and C,B{biMM) ■= else. By us- 
ing these functions and the function ^ defined in the previous section, we 
define the auxiliary random variables: Ui := S,{Xi,X2), V\ := ^(Yi,y2), 
:= Ui + Vi, U2 := Ca{X2,Ui,Vi), and V2 := Cb (5^2 , f/i , ^1 ) • These 
auxiliary random variables mean that either Alice or Bob's second bits are 
kept or discarded depending on the values of xa{Ui,Vi) and XBiUi,Vi). 
The specific form of XA and xb will be given in Section 14.51 so that the 
asymptotic key generation rates are maximized. 

Our proposed two-way IR procedure is conducted as follows: 

(i) Alice calculate ui and Bob does the same for vi. 
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(ii) Alice calculates syndrome ti = ti(ui) := Miui, and sends it to Bob 
over the public channel. 

(iii) Bob decodes (y, ti) into estimate of ui by a decoder ui : (F^)" xF2^ 
Fj. Then, he calculates wi = ui + vi, and sends it to Alice over the 
public channel. 

(iv) Alice calculates U2 by using x, wi, and the function (a- Bob also 
calculates V2 by using y, w, and the function (b- 

(v) Alice calculates syndrome iA,2 '■= Ma,2'^2, and sends it to Bob over 
the public channel. Bob also calculate syndrome tB,2 '■= -^B,2V2, and 
sends it to Alice over the public channel. 

(vi) Bob decodes (y, wi,t^^2) into estimate of U2 by using a decoder U2 : 
(Fl)" X F^ X F2-^'' ^ F^. Alice also decodes (x,wi,tB,2) by using a 
decoder va : (F^)" x F^ x Fg'''" ^ F^. 

As we mentioned in Section 13.31 the decoding error probability of the 
two-way IR procedure have to be universally small for any distribution in 
the candidate {PxY,9 ■ £ 0} that are estimated by Alice and Bob. For 
this reason, we introduce the concept that a two-way IR procedure is d- 
universally-correct in a similar manner as in Definition 13.3.11 

Definition 4.3.1 We define a two-way IR procedure to be (5-universally- 
correct for the class {Pxy,9 ■ ^ £ ©} of probability distribution if 

-Ply,e({(x,y) : (ui,U2,V2) / (ui,U2,V2) or 

(U1,U2,V2) 7^ (ui,U2,V2)}) < 6 

for any 9 £ Q. 

An example of a decoder that fulfils the universality is the minimum 
entropy decoder. For Step (jin|) . the minimum entropy decoder is defined by 

ui(y,ti):= argmin H{Pu^y), 

uieF5:MiUi=ii 
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where Puiy G 'Pn{^2) the joint type of the sequence 

(ui,y) = ((uii,yii,yi2), • • • , (n„i, y„i, y„2)) 
of length n. For Step (|vi]) . the minimum entropy decoder is defined by 
U2(y, wi,t2) := argmin H{Pu2VJiy), 

U2eF^:MA,2U2=tA,2 

where -Pu2Wiy £ 'Pn{^2) is the joint type of the sequence 

(U2,wi,y) = ((^12,^11,^11,^12),... ,{Un2,Wnl,ynl,yn2)) 

of length n. The minimum entropy decoder for V2 is defined in a similar 
manner. 

Theorem 4.3.2 |Csi821 Theorem 1] Let ri, r^^i, and rA,2 be real numbers 
that satisfy 

n > mmH{Ui^e\yi,eY2,e), 
rA,2 > minH{U2,e\WifiYi^gY2fi), 

and 

rB,2 > mm H{V2,e\Wi 0X1 0X2^0), 

respectively, where C/1,0 = (,{Xi^0, X2,0), Wi^ = Ui^ + CC^i.e, ^2,e), and 
U2fi = C(-^2,6»5 Wifi) for the random variables [Xi^0,X2fi, Y10, ^2,6*) that are 
distributed according to Pxye- Then, for every sufficiently large n, there 
exist a fei X n parity check matrix Mi, a kA,2 x n parity check matrix Myi^2j 
and a A;b,2 x n parity check matrix Mb,2 such that ^ < ri, < rA,2, and 
^ ^B,2, and the decoding error probability by the minimum entropy 
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decoding satisfies 

^ly,e({(x,y) : (ui,U2,V2) + (ui,U2,V2) or 

(ui,U2,V2) / (ui,U2,V2)}) 

for any E B, where Ea,2^ Eb,2 > are constants that do not depends 
on n. 

4.4 Security and Asymptotic Key Generation Rate 

4.4.1 Sufficient Condition on Key Generation Rate for Se- 
cure Key Agreement 

In this section, we show how Ahce and Bob decide the parameters of the 
postprocessing and share a secret key. Then, we show a sufficient condition 
on the parameters such that Ahce and Bob can share a secure key. We 
employ almost the same notations as in Section [3. 4.11 

Let us start with the six-state protocol. Instead of the conditional von 
Neumann entropy Hp{X\E), the quantities 

Hp{UiU2V2\WiEiE2) = H{pu^u2V2WiEiE2) — H{pwiEiE2) (4.2) 

and 

H p{U2V2\UlWiEiE2) = H{pu^u^V2WxExE2) - HipUiWiEiEi) (4.3) 

play important roles in our postprocessing, where the von Neumann en- 
tropies are calculated with respect to the operator PU1U2V2W1E1E2 derived 
from via the measurement and the functions S,,Ca,Cb- For the ML 
estimator p(z) of p G "Pc, we set 

H,{UiU2V2\WiEiE2) := Hf,^,^{UiU2V2\WiEiE2) 



82 



Chapter 4. Postprocessing 



and 

H^{U2V2\UiWiEiE2) := Hf,^,){U2V2\UiWiE^E2), 

which are the ML estimators of the quantities in Eqs. (|4.2p and (j4.3p re- 
spectively. 

For the BB84 protocol, we similarly set 

H^iUiU2V2\WiEiE2) := min H,{UiU2V2\WiEiE2) 

and 

HziU2V2\UiWiEiE2) := min H,{U2V2\UiWiEiE2) 
respectively. 

According to the sample bit sequence z, Alice and Bob decide the rate 
hl^^ ^A,2{^) ^ g^j^j kB,2{z) ^£ ^j^^ parity check matrices used in the two-way 

IR procedure. Furthermore, they also decide the length £(z) of the finally 
distilled key according to the sample bit sequence z. Then, they conduct 
the postprocessing as follows. 

(i) Alice and Bob undertake the two-way IR procedure of Section 14.31 
and they obtain (ui,U2,V2) and (ui,U2,V2) respectively. 

(ii) Alice and Bob carry out the PA procedure to distill a key pair [sa-, sb)- 
First, Alice randomly chooses a hash function, / : F^" — > {0,1}^'^^), 
from a family of two- universal hash functions, and sends the choice of 
/ to Bob over the public channel. Then, Alice's distilled key is sa = 
/(ui,U2, V2) and Bob's distilled key is = /(ui,U2, V2) respectively. 

The distilled key pair and Eve's available information can be described 
by a {cccg}-state, p's^SbC'E^ where classical system C consists of random 
variables Ti, Ta,2, and Tb,2 that describe the syndromes transmitted in 
Steps (jn]) and (jvj) of the two-way IR procedure and random variable F that 
describe the choice of the function in the PA procedure. Then, the security 
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of the distilled key pair is defined in the same way as in Section [3.4.11 i.e., 
the key pair is said to be e-secure if Eq. (j3.8p is satisfied. 

The following theorem gives a sufficient condition on ki{z), /i;^_2(z), 
^B,2(z), and i{z) such that the distilled key is secure. 

Theorem 4.4.1 For each sample sequence z £ Q, assume that the IR 
procedure is 5-universally-correct for the class of distributions 

{PxY,p ■■ ||p(z) - p\\ < a} 
in the six-state protocol, and for the class of distributions 

{PxY,uj ■■ ||w(z) - LoW < a} 
in the BB84 protocol. For each z G Q, if we set 

e{z) 



2n 



1 

< — max 



H^{U2V2\UiWiEiE2) - 7j{a) 



n n n 

kA,2{z) kB,2{z)' 



n n 



(4.4) 



then the distilled key is (e + 3(^+/x(a, m))-secure, where z/„ := 5y ) -|- 

21og(3/£) 
n 

Proof. We only prove the statement for the six-state protocol, because 
the statement for the BB84 protocol is proved exactly in the same way 
by replacing p £ Vc with uj £ ^1 and some other related quantities. The 
assertion of the theorem is proved by using Corollarv l2.2.14t Lemma [2.2.10t 
Lemma EXl and Eq. (lOD . 

For any p £ Vc, Eq. (j3.4p means that \\p{z) — p\\ < a with probability 
1 — p{a,m). When \\p{z) — p\\ > a, the distilled key pair is 1-secure. 
For \\p{z) — p\\ < a, we first assume (proved later) that the dummy key 
S := /(Ui,U2,V2) is e-secret under the condition that Eve can access 
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(Wi,ri,TA,2,rB,2,F,E), i.e., 

1 II z z,mix ^ z II ^ ^ A r:\ 

2\\PswiTiTa,2Tb,2FE - Ps ^ PwiTiTa,2Ts,2™II ^ £• l^.bj 

The assumption that the two-way IR procedure is (5-universally-correct im- 
phes that wi = wi, tA,2 = tA,2 ■= Ma,2U2, and 13,2 = tB,2 ■= Mb, 2^2 with 
probabihty at least 1 — 6. Since (u2,U2), (v2,V2), (wi,wi), (tA,2; ^71,2), and 
(^5,21^5,2) can be computed from (x, y), by using Lemma r2.1.2t we have 

Since the trace distance does not increase by CP maps, we have 

\\PsAW,TifA,2fB,2FE ~ PsWiTiTa,2Tb,2Fe\\ < 2(5- 

Therefore, the statement that the dummy key S is e-secret imphes that the 
actual key Sa is {s + 2(5)-secret as follows: 

II z z,mix z II 

"PSAWlTlfA,2fB.2FE ~ PSa ^ ^WiTif2,AT2,s™ll 

- "^LwiTifA,2Ts,2i^E ~ PSWiTiTa,2Tb.2Fe\\ 

I II z z,mix ^ z II 

+ ll/55WiTiTA,2Tfl,2™ - Ps ^ PWiTiTa,2Tb,2FE\\ 

. II z,mix ^ z z,mix ^ z n 

+ \\PS ^ PWmTA,2TB,2FE - PSa ^ ^WlTlfA,2tB,2™ll' 

where the first term is upper bounded by 25, the second term is upper 
bounded by 2e, and the third term is also upper bounded by 25 because 
^z,mix _ The assumption that the two-way IR procedure is 5- 

universally-correct also implies that the distilled key pair [Sa-,Sb) is 5- 
univer sally-correct. Thus, the key pair is (e -|- 3(5)-secure if ||/>(z) — p\\ < 
a. Averaging over the sample sequence z E Q, the distilled key pair is 
(e -|- 35 -|- ^(a, m))-secure. 



One thing we have left is to prove Eq. (j4.5|) . According to Lemma r2.2.im 
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the inequality 



2n 



< 



H^{UiU2V2\WiEiE2) 
implies the inequality 



r]{a) 



^i(z) fcA,2(z) A;b,2(z) 



n 



n 



n 



(z)< 



^^mm(PUiU2V2WiE|WiE) - A;i(z) - kA,2{'^) - kB,2{z) - 21og(3/2e). 



Thus, Corollary 12.2.141 implies that the dummy key S is e-secret. 

Since the syndrome Ti is computed from the sequence Ui, if the dummy 
key 5 is e-secret in the case that Eve can access the sequence Ui, then the 
dummy key S must be e-secret in the case that Eve can only access the 
syndrome Ti instead of Ui . According to Lemma 12.2.101 the inequality 



^ 1 
2n 2 



H^iU2V2\UiWiEiE2) - via) 



n 



n 



implies the inequality 



(z) < i/^i„(puiU2V2WiE|UiWiE) - A;a,2(z) - A;b,2(z) - 21og(3/2e). 



Thus, Corollary 12.2.141 implies that the dummy key S is e-secret. 

Combining above two arguments, we have the assertion of the theorem. 

□ 



Remark 4.4.2 The maximization in Eq. (j4.4p is very important. If either 
of them is omitted, the key generation rate of the postprocessing can be 
underestimated, as will be discussed in Section [4.51 

Remark 4.4.3 By switching the role of Alice and Bob, we obtain a post- 
processing with the reverse two-way IR procedure. For the postprocess- 
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ing with the reverse two-way IR procedure, we can show almost the same 
statement as Theorem 14.4.11 by replacing Ui with Vi, and by using the 
5-universaIly-correct for the reverse two-way IR procedure. 

4.4.2 Asymptotic Key Generation Rates 

In this section, we derive the asymptotic key generation rate formula for the 
postprocessing with the two-way IR procedure. First, we consider the six- 
state protocol. Since the ML estimator is a consistent estimator, in a similar 
arguments as in Sections 13.4.11 and 13.4.31 we can set the sequence of the key 
generation rates so that it converges to the asymptotic key generation rate 
formula 

i max [Hp{UiU2V2\WiEiE2) - Hp{Ui\YiY2) 

- Hp{U2\WiYiY2) - Hp{V2\WiXiX2), 
Hp{U2V2\UiWiEiE2) - Hp{U2\WiYiY2) - ^^(^211^1^1^2)] (4.6) 

in probability as m, n ^ oo. We can also derive the asymptotic key genera- 
tion formula for the postprocessing with the reverse two-way IR procedure 
as 

^ max [Hp{ViU2V2\WiEiE2) - Hp{Vi\XiX2) 

- Hp{U2\WiYiY2) - Hp{V2\WiXiX2), 
Hp{U2V2\UiWiEiE2) - Hp{U2\WiYiY2) - ^^(^211^1^1 ^2)] • (4.7) 

Next, we consider the BB84 protocol. Since the ML estimator is a 
consistent estimator, in a similar arguments as in Sections 13.4.11 and 13.4.41 
we can set the sequence of the key generation rates so that it converges to 
the asymptotic key generation rate formula 

i min Yas.^[H,{UiU2V2\WiEiE2)-H^{Ui\YiY2) 

- H^{U2\WiYiY2) - H^{V2\WiXiX2), 
H,{U2V2\UiWiEiE2) - H^{U2\WiYiY2) - HMW1X1X2)] , (4.8) 
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in probability as m, n ^ oo. 

We can also derive the asymptotic key generation rate formula for the 
postprocessing with the reverse two-way IR procedure as 

I min max[H,{ViU2V2\WiEiE2) - HUUi\XiX2) 

- H^{U2\WiYiY2) - H^{V2\WiXiX2), 
H,{V2\UiWiEiE2) - H^{U2\WiYiY2) - HM\WiXiX2)] . (4.9) 

The following propositions are useful to calculate the minimizations in 
Eqs. ^E) and 

Proposition 4.4.4 For two density operator p^,p'^ G Vc and a probabilis- 
tically mixture p' := Xp^ + (1 — Eve's ambiguities are convex, i.e., we 
have 

Hp,{UiU2V2\WiEiE2) 

< XHpi{UiU2V2\WiEiE2) + (1 - X)Hp2{UiU2V2\WiEiE2) 

and 

Hp,{U2V2\UiWiEiE2) 

< XHp,{U2V2\UiWiEiE2) + (1 - X)Hp2{U2V2\UiWiEiE2), 

where p'i;iU2V2Wi_EiE2 density operator derived from a purification 

ii^'ABEr Of {p^sr^. 

Proof. The statement of this proposition is shown exactly in the same way 
as Proposition 13.4.71 □ 



Proposition 4.4.5 For the BB84 protocol, the minimization in Eqs. (j4.8|) 
and (|4.9p is achieved by Choi operator q whose components i?zy, ^xy, Ryz, 
Ryx, and ty, are all 0. 
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Proof. The statement of this proposition is shown exactly in the same way 



Remark 4.4.6 By using the chain rule of von Neumann entropy, we can 
rewrite Eq. (j4.6p as 



+Hp{U2V2\UiWiEiE2) - Hp{U2\WiYiY2) - Hp{V2\WiXiX2)}. (4.10) 



We can interpret this formula as follows. If Bob's ambiguity Hp{Ui\YiY2) 
about bit Ui is smaller than Eve's ambiguity Hp{Ui\WiEiE2) about Ui, 
then Eve cannot decode sequence Ui jS W731 lDW03j . and there exists some 
remaining ambiguity about bit Ui for Eve. We can thus distill some secure 
key from bit Ui. On the other hand, if Bob's ambiguity Hp{Ui\YiY2) about 
bit Ui, i.e., the amount of transmitted syndrome per bit, is larger than 
Eve's ambiguity Hp{Ui\WiEiE2) about Ui, then Eve might be able to de- 
code sequence Ui from her side information and the transmitted syndrome 
|SW73t lDW03j . Thus, there exists the possibility that Eve can completely 
know bit Ui, and we can distill no secure key from bit Ui, because we have 
to consider the worst case in a cryptography scenario. Consequently, send- 
ing the compressed version (syndrome) of sequence Ui instead of Ui itself 
is not always effective, and the slope of the key rate curves change when 
Eve becomes able to decode Ui (see Figs. HTH |121 1131 [Oll^ . 
A similar argument also holds for the BB84 protocol. 

Remark 4.4.7 If we take the functions XA and xb as 



as Proposition 13.4.9] bv using Proposition 14.4.^ 



□ 



^{max[Hp{Ui\WiEiE2) - H{UijYi,pY2,p),0] 




(4.11) 



and 



XB{hiM) = 1- 



(4.12) 
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Then, the postprocessing proposed in this thesis reduces to the postprocess- 
ing proposed in [WMUKOT] . 

Remark 4.4.8 The asymptotic key generation rate (for the six-state pro- 
tocol) of the postprocessing with the advantage distillation is given by 



where the auxiliary random variables Ui,U2, Wi are defined as in Section 
14.21 or they are defined by using the functions xa,Xb given in Eqs. (I4.11|) 
and ()4.12p . From Eqs. (j4.6p and ()4.13p . we can find that the asymptotic key 
generation rate of the proposed postprocessing is at least as high as that of 
the postprocessing with the advantage distillation if we employ appropriate 
functions XA,XB- 

A similar argument also holds for the BB84 protocol. 

Remark 4.4.9 In [GA08| . Gohari and Anantharam proposeci§ a two-way 
postprocessing which is similar to our proposed two-way postprocessing. 
They derived the asymptotic key generation rate formula of their proposed 
postprocessing. Although their postprocessing seems to be a generaliza- 
tion of our proposed postprocessing, the asymptotic key generation rate 
(Eq. (|4.6p ) of our proposed postprocessing cannot be derived by their asymp- 
totic key generation rate formula. By modifying their formula for the QKD 
protocol, we can only derive the asymptotic key generation rate 



For aPauli channel, since Wi is independent from {Xi, X2) and Hp(Wi\EiE2) = 

^It should be noted that they consider the classical key agreement problem instead of 
the postprocessing of the QKD protocol. However, as we mentioned in Chapter [TJ they 
are essentially the same. 



^[Hp{U2\UiWiEiE2) - Hp{U2\WiYiY2)] 



(4.13) 



'^[Hp{Ui\EiE2) - Hp{Ui\YiY2) 

+Hp{Wi\UiEiE2) - Hp{Wi\UiXiX2) 
+Hp{U2\UiWiEiE2) - Hp{U2\UiWiYiY2) 
+Hp{V2\UiWiU2EiE2) - Hp{V2\UiWiU2XiX2)]. 



(4.14) 
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0, Eq. (14.141) is strictly smaller than Eq. (filBI) . 

The underestimation of the asymptotic key generation rate comes from 
the following reason. In Gohari and Anantharam's postprocessing, a syn- 
drome of wi is transmitted over the public channel, and the length of the 
syndrome is roughly Hp{Wi\UiXiX2). When the syndrome is transmitted 
over the public channel. Eve cannot obtain more information than wi itself. 
The lack of this observation results into Eq. (j4.14p . 



4.5 Comparison of Asymptotic Key Generation 
Rates for Specific Channels 

In this section, we compare the asymptotic key generation rates of the 
proposed postprocessing, the postprocessing with the advantage distillation, 
the one-way postprocessing for representative specific channels. 



4.5.1 Pauli Channel 



When the channel between Alice and Bob is a Pauli channel, the Stokes 
parameterization of the corresponding density operator /? E is 



Cz 
Cx 
ev 





" " 









) 




_ _ 





(4.15) 



for —1 < ez,ex,ey < 1. The Choi operator of the Pauli channel is a Bell 
diagonal state: 



P= ^KL(k,l)|V(k,l))(V(k,l)|, 

k,lGF2 



(4.16) 
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where Pkl is a distribution on F2 x F2 defined by 



and 



i^KL(0,0) 

Pkl(0,1) 

i^KL(l,0) 



1^(0,0)) 

IV'(i,o)) 
imi)) 



4 

1+ez-ex-ey 
4 

l-Ez+ex — Ey 

4 

l-Ez-ex + Ev 



|00) + 111) 
V2 ^ 

|01) + |io) 
|oo)-|ii) 
|oi)-|io) 

^/2 ■ 



(4.17) 



We occasionally abbreviate Pkl{^, as pki- Note that the Pauli channel is 
a special class of the unital channel discussed in Section 13.6. 2[ 

The following lemma simplify the calculation of Eq. ()4.8p for a Pauli 
channel. 

Lemma 4.5.1 For a Bell diagonal Choi operator p, the minimizations in 
Eqs. (j4.8p (|4.9p are achieved by a Bell diagonal operator g £ Vc{oj)- 

Proof. This lemma is a straightforward corollary of Proposition I4.4.4[ □ 



Lemma 4.5.2 For Bell diagonal state p, the asymptotic key generation rate 
is maximized when we employ the functions XA-, XB given by Eqs. M.llh and 

(jm. 

Proof. Since Hp{X2\Wi = 1, Y1Y2) = 1 and Hp{X2\Wi = 1, E1E2) < 1, X2 
should be discarded if Wi = 1. Similarly, Y2 should be discarded if Wi = 0. 
Since the Bell diagonal Choi operator is symmetric with respect to Alice 
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and Bob's subsystem, we have 



Hp{X2\Wi = 0, U1E1E2) = H,{Y2\Wi = 0, U1E1E2), 



and 



Hp{X2\Wi = 0,YiY2) = Hp{Y2\Wi = 0,XiX2). 



Furthermore, we have 



Hp{Y2\Wi = 0,UiX2EiE2) < Hp{Y2\Wi = 0,XiX2). 



(4.18) 



Therefore, the functions given by Eqs. ()4.1ip and (j4.12p are optimal. Note 



By Lemmas 14.5.11 and 14.5.21 it suffice to consider the functions given 
by Eqs. (j4.1ip and (j4.12p if the channel is a Pauli channel. Therefore, we 
employ the functions given by Eqs. (j4.1ip and (|4.12p throughout this subsec- 
tion. Furthermore, we can find that the asymptotic key generation rates for 
the direct and the reverse IR procedure coincide, because H p{Ui\WiEiE2) = 
Hp{Vi\WiEiE2) and Hp{Ui\YiY2) = Hp{Vi\XiX2). Therefore, we only 
consider the asymptotic key generation rate for the direct IR procedure 
throughout this subsection. 

Theorem 4.5.3 For a Bell diagonal state /?, we have 



that Eq. (I4.18P means that we should not keep Y2 if we keep X2 ■ 



□ 



i max [Hp{UiU2\WiEiE2) - Hp{Ui\YiY2) 
-Hp{U2\WiY^Y2), 
Hp{U2\UiWiEiE2) - Hp{U2\WiYiY2)] 
= max[l - -H'(Pkl) 




^k(O) 



(1 - F(P^l))] 



(4.19) 



2 
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where 



(poo +?'0l)^ + (PlO 

2(iJoo +Poi)(pio +Pu), 



and 



^^1^1(0,0) 



Poo+Poi 



^kl(1,0) 



(POO +?'0l)^ + (PlO 

2pooPoi 



(poo+poi)'^ + {pio +piiy' 

Pw+Pu 



^kl(1,1) 



(poo +POl)^ + {PW 
2pioPii 



(poo +Poi)^ + (Pio 



The theorem is proved by a straightforward calculation, and the proof is 
presented at the end of this section. 

Combining Lemma 14.5.11 Theorem 14.5.31 and Eq (j4.17p , it is straight- 
forward to calculate the asymptotic key generation rate for a Pauli chan- 
nel. As a special case of the Pauli channel, we consider the depolarizing 
channel. The depolarizing channel is parameterized by one real parameter 
e G [0,1/2], and the Bell diagonal entries of the Choi operator are given 
by Poo = 1 — 3e/2, piQ = pqi = pu = e/2. For the six-state protocol, it 
is straightforward to calculate the asymptotic key generation rate, which 
is plotted in Fig. 14.11 According to Lemma 14. 5. H it is sufficient to take 
the minimization over the subset 7^c,Beii('-^) C Vc{uj) that consists of all 
Bell diagonal operators in Vc{^)- For the depolarizing channel, the set 
'Pc,Beii('^) consists of Bell diagonal state q = igjfg p'kil^C^' '))(V'('^) 01 sat- 
isfying p'qq = 1 — e + k, p[q = p[^ = e/2 — k, and p'n = k for k G [0, e/2]. 
We can calculate the asymptotic key generation rate by taking the mini- 
mum with respect to the one free parameter k G [0,e/2], which is plotted 
in Fig. [Ol 

It should be noted that the asymptotic key generation rate of the stan- 
dard one-way postprocessing [SPOOl ILoOl] is 1 — i7(PKL) for the six-state 
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protocol and m.inK[l — H {P\<,\_)] for the BB84 protocol. Therefore, Eq. (j4.19p 
analytically clarifies that the asymptotic key generation rate of our post- 
processing is at least as high as that of the standard postprocessing. 

Proof of Theorem \4-5.3 

Let 

li^ABE) := Yl V^KL(k,l)|^(k,l))|k,l) 

k,lGF2 

x,k&2 

be a purification of p = i^j^^ l^Pi^, 0)(V'(k, where we set 

\^{x, k)) := -jl= ' v/^^UM)|k, 1), 

V^K(k) igp^ 

and where PkO^) = S16F2 -^KL(k, I) is a marginal distribution. Then, let 

PX1X2Y1Y2E1E2 

where 

PE1E2 •= l</'(3^i'ki))(0(xi,ki)| (g) |</'(x2,k2))((/)(2;2,k2)| 

for X = {xi,X2) and k = (ki, k2). 

Note that H{Ui\YiY2) = H{Wi) for the Pauh channel. Let W2 be a 
random variable defined by W2 ■= ■^2(1^11^2) + f^2- Then, for the Pauli 
channel, we have H{U2\WiYiY2) = PwMH{Pw2m=a)- 

Noting that 

Px^X2Y^Y2{x.x + k) = ^PK(k), 
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0.025 0.05 0.075 0.1 0.125 0.15 
Parameter e 



Figure 4.1: Comparison of the asymptotic key generation rates of the six- 
state protocols. "Two-way" is the asymptotic key generation rate of the 
proposed postprocessing. "Vollbrecht et al." is the asymptotic key genera- 
tion rate of the two-way postprocessing of [MFD+n6[lWMUn6j . "Advantage 
Distillation" is the asymptotic key generation rate of the postprocessing 
with the advantage distillation [GL03| . "One-way" is the asymptotic key 
generation rate of the one-way postprocessing |RGK05j . It should be noted 
that the asymptotic key generation rates of the six-state protocols with the 
advantage distillation in [RenOSl IGL03[ ICha02[ IBA07j are slightly higher 
than that of the proposed protocol for much higher error rate. 
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CD 
^— > 

O 



0.8 
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I 0.4 

CD 

^ 0.2 



Two-way 

Vollbrecht et al. 

One-way 
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Parameter e 



0.12 



Figure 4.2: Comparison of the asymptotic key generation rates of the BB84 
protocols. "Two-way" is the asymptotic key generation rate of the proposed 
postprocessing. "Vohbrecht et al." is the asymptotic key generation rate 



of the two-way postprocessing of MFD+Om IWMU06] . "Advantage Distil- 
lation" is the asymptotic key generation rate of the postprocessing with the 
advantage distillation |GL03| . "One-way" is the asymptotic key generation 
rate of the one-way postprocessing |RGK05| . 
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we have 



1 

2 

PwA^l) = ^K(k) 



kSF2 



-Pc72|VFi=o('"2) - - 
^'c72|Wi=l(^2) = 1 



-Pl^2|W^i=o(^2) n / \ 

Pw2\Wi=l{^) = 1- 

Using these formulas, we can write 

PUxU2W^EiE2 = E PUr{ui)PwAwi) 

A/2 1 14^1 =«>i (^^2 ) I w , uii ) (n, wi I O p'j^'^^^ 

for u= (ui,U2), where 

-u,wi o / \ uG,{wi,W2)G 

PE1E2 '■- 2^ PW2\Wi=0{W2)PeiE2 
W2&2 



for wi = and a matrix G = i | , and 

\ 1 / 



a,beF2 

for t^i = 1. 



-u,wi 1 {ui,a)G,{wi,b)G 

PE1E2 ■~ 4^Si£;2 



Since supports of rank 1 matrices {p^-^E^}^l^Y2 are orthogonal to each 
other, = is already eigen value decomposed. Applying 

Lemma [4.5.41 for J = {00, 10} and C = = {00, 11}, we can eigen value 
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decompose P^e^e2 wi = 1 as 

ptk = E ^E^j|K=ka)i^(K'0)'k,r))w(ni,o),k,r)i, 

where we follow the notations in Lemma 14.5.41 for m = 2. 



Thus, we have 

H{pUrU2WiEiE2) 

\Wi=w-i ) 

+ Y PuAui)Pu2\Wi=Wiiu2)H{p''j^^^^)} 

+ Pk(1)^(^'kj|k=i)- (4-20) 



Taking the partial trace of PU1U2W1E1E2 over systems Ui,U2, we have 

PW1E1E2 = X] Pwi{m)\wi){wi\ 

wie¥2 



PUiPu2\Wi=wiiu2)PE'^E^ 



KU&2 



Thus, we have 

H{pwiEiE2) = H{Pwi)+ X Pwiim) 

U11GF2 

H Pu,Pu2\Wi=wiiu2)PEiE2 
= i^(PK)+E^K(OM^KL|K=-k)- (4-21) 



4.5. Comparison of Asymptotic Key Generation Rates for Specific 
Channels 99 



Combining Eqs. (j4.20p and (|4.2ip . we have 

Hp{UiU2\WiEiE2) - H{Ui\YiY2) - H{U2\UiWiYiY2) 

= 2-i7(P^L^) + PK(l){^(^Kj|K=i)-l} 

PooPio +P01P11 



2-2H{Pi,0+PKi'i-)h 



(poo +Poi)(pio +Pn] 



On the other hand, by taking partial trace of PU1U2W1E1E2 over the 
system Ui, we have 



PU1W1E1E2 



]rPWiiwi)\ui,Wl){ui,Wl\ 



2 

mi,uiiGF2 



^ Pu2\Wi=wii.U2)p^^^Ef''"^ 

^U2&2 

Thus, we have 

H{pUiWiEiE2) = l + ^(^Vi)+ ^ ^Pwiiwi) 



H I XI Pu2\Wi=wi{u2)ptlE2''''" 

\U2&2 

l + ^(^K)+E^K(kM^'KJ|K=i: 
kGF2 



Combining Eqs. ()4.20|) and (14.220 . we have 

Hp{U2\WiUiEiE2) - H{U2\WiUiEiE2) 



Hp{U2\WiUiEiE2) - PwMH{Pw2\w^=o) 

PKim-HiPki))- 



(4.22) 



□ 
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Lemma 4.5.4 Let C be a linear subspace of F™. Let 



and := \ip"^{x, k)){ip"^{x, k)|. Let J be a set of coset representatives of 
the cosets F™/C, and 

p M Ecgc^^K"L(k,r+e) 

be conditional probability distributions on J. Then, for any a G ¥2^, we 
have 

^4tf'' = E ^'j|K"^=kd)l^(«, k,r))(^(a, kj)|, (4.23) 



x£C 



where 



EeeC^^KT(kJ + e) 



|^?(a, k,j)) 



E(-irV^^L(k,r+c)ik,r+c). 

Remark 4.5.5 If j 7^ i, obviously we have {^{a,k,})\'d{a,k,T)) = 0. Thus, 
the right hand side of Eq. (j4.23|) is an eigen value decomposition. Moreover, 
if a + 6 G C, then we have |'!?(a, k,])) = {i^ib, k,j)). 

Proof. For any x £ C and a G F™, we can rewrite 

P-(k,r+c')|k,r+e) 
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Then, we have 




x+d,k 



|^?(a,k,i))Wa,k,r)l 



|^?(a,k,i))Wa,k,T)| 

E^jiK'"=k(r)i^(«' k,r))(^(a, k,r)i, 



JeJ 

where • is the standard inner product on the vector space F^, and we used 
the foHowing equahty, 



4.5.2 Unital Channel 

In this section, we calculate the asymptotic key generation rates for the 
Unital channel. Although we succeeded to show a closed formula of the 
asymptotic key generation rate for the Pauli channel, which is a special class 
of the unital channel, in Section [4.5. H we do not know any closed formula 
of the asymptotic key generation rate for the unital channel in general. 

For the six-state protocol, it is straightforward to numerically calculate 
the asymptotic key generation rate. For the BB84 protocol, owing to Propo- 




for i / j. 



□ 
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sition H74.5l the asymptotic key generation rate can be calculated by taking 
the minimization over one free parameter Ryy. 



As an example of non Pauli but unital channel, we numerically calculated 
asymptotic key generation rates for the depalarizing channel whose axis is 
rotated by 7r/4, i.e., the channel whose Stokes parameterization is given by 



cos(7r/4) -sin(7r/4) 
sin(7r/4) cos(7r/4) 
1 



1 - 2e 
1 - 2e 
1 - 2e 



(4.24) 



For this channel, since the Choi operator is symmetric with respect to 
Alice and Bob's subsystem, we can also show that the asymptotic key gen- 
eration rate is maximized when we employ the functions XA^Xb given by 
Eqs. (14. lip and (j4.12p in a similar manner as Lemma 14.5.21 Therefore, we 
employ the functions given by Eqs. (j4.1ip and (|4.12p throughout this subsec- 
tion. Furthermore, we can find that the asymptotic key generation rates for 
the direct and the reverse IR procedure coincide, because H p{Ui\WiEiE2) = 
Hp{Vi\WiEiE2) and Hp{Ui\YiY2) = Hp{Vi\XiX2). Therefore, we only 
consider the asymptotic key generation rate for the direct IR procedure 
throughout this subsection. 

For the BB84 protocol and the six-state protocol, the asymptotic key 
generation rate of the postprocessing with the two-way IR procedure and 
that of the postprocessing with the one-way IR procedure are compared in 
Fig. 14.31 and Fig. 14.41 respectively. We find that the asymptotic key gener- 
ation rates of the postprocessing with our proposed two-way IR procedure 
is higher than those of the one-way postprocessing, which suggest that our 
proposed IR procedure is effective not only for the Pauli channel, but also 
for non-Pauli channels. It should be noted that the asymptotic key genera- 
tion rates of the postprocessing with the direct one-way IR procedure and 
the reverse one-way IR procedure coincide for this example. 
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0.02 0.04 0.06 0.08 

Parameter e 

Figure 4.3: Comparison of the asymptotic key generation rates of the BB84 
protocol. "Two-way" is the asymptotic key generation rate of the postpro- 
cessing with two-way IR procedure (Eq. (j4.8p ). "One-way" is the asymp- 
totic key generation rate of the postprocessing with one-way IR procedure 
(Eq. (13^5]) ). 
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0.02 0.04 0.06 0.08 0.10 0.12 
Parameter e 

Figure 4.4: Comparison of the asymptotic key generation rates of the 
six-state protocol. "Two-way" is the asymptotic key generation rate of 
the postprocessing with two-way IR procedure (Eq. (j4.6p ). "One-way" is 
the asymptotic key generation rate of the postprocessing with one-way IR 
procedure (Eq. (|3.12p l. 
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4.5.3 Amplitude Damping Channel 



In this section, we calculate the asymptotic key generation rates (for the 
direct two-way IR procedure and the reverse two-way IR procedure) for the 
amplitude damping channel. Although we succeeded to derive a closed for- 
mulae of the asymptotic key generation rates of the one-way postprocessing 
in Section 13.6. H we do not know any closed formula of the asymptotic key 
generation rates of the postprocessing with the two-way IR procedure for 
the amplitude damping channel. Furthermore, it is not clear whether the 
asymptotic key generation rate is maximized when we employ the functions 
given by Eqs. (j4.1ip and (j4.12p . Therefore, we (numerically) optimize the 
choice of the functions xa,Xb so that the asymptotic key generation rate 
is maximized. 

Since the set Vc{oj) consists of only p itself for both the BB84 protocol 
(refer Section 13.6. ip , we can easily conduct the numerical calculation of the 
asymptotic key generation rates for the six-state protocol and the BB84 pro- 
tocol. The asymptotic key generation rates of the postprocessing with the 
direct two-way IR procedure, the reverse two-way IR procedure, the direct 
one-way IR procedure, and the reverse one-way IR procedure are compared 
in Fig. 14.51 It should be noted that the asymptotic key generation rates for 
the BB84 protocol and the six-state protocol coincide in this example. We 
numerically found that the functions given by XA{ai,0'2) ■= 1 and 




if ai = a2 

1 else 



maximizes the asymptotic key generation rates for both the direct two-way 
IR procedure and the reverse IR procedure. 
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Two-way (reverse) 
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Two-way (direct) 
Two-way (non-optimal) 
One-way (direct) 
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0.8 



1.0 



Figure 4.5: Comparison of the asymptotic key generation rates. "Two- 
way (reverse)" is the asymptotic key generation rate of the postprocessing 
with reverse two-way IR procedure (Eq. (j4.7p ). "One-way (reverse)" is 
the asymptotic key generation rate of the postprocessing with reverse one- 
way IR procedure (Eq. (j3.13p ). "Two-way (direct)" is the asymptotic key 
generation rate of the postprocessing with direct two-way IR procedure 
(Eq. (j4.6p ). "Two-way (non-optimal)" is the asymptotic key generation rate 
of the postprocessing with direct two-way IR procedure when we employ 
the functions XA, XB given by Eqs. (|4.1ip and (|4.12p . "One-way (direct)" is 
the asymptotic key generation rate of the postprocessing with one-way IR 
procedure (Eq. (f3l^ l. 
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4.6 Relation to Entanglement Distillation Proto- 
col 

As is mentioned in Chapter [H the security of the QKD protocols have been 
studied by using the quantum error correcting code and the entanglement 
distillation protocol (EDP) since Shor and Preskill found the relation be- 
tween them [SPOOj . The crucial point in Shor and Preskill's proof is to 
find an EDP that corresponds to a postprocessing of the QKD protocols. 
Indeed, the security of the QKD protocols with the two-way classical com- 
munication |GL03j was proved by finding the corresponding EDPs. 

We will explain the EDP proposed by Vollbrecht and Vestraete [VV05] in 
this section. Then, we present the postprocesin^ of the QKD protocols that 
corresponds to Vollbrecht and Vestraete's EDP. Furthermore, we compare 
the posptocessing (corresponding to Vollbrecht and Vestraete's EDP) and 
the postprocessing shown in Section 14.41 and clarify the relation between 
them, where we employ the functions given by Eqs. (|4.11|) and (|4.12p . The 
comparison result suggestj^ that there exists no EDP that corresponds to 
the postprocessing shown in Section [4.41 

Suppose that Alice and Bob share 2n pairs bipartite qubits systems, and 
the state of each bipartite system is a Bell diagonal stat^ 

P=Y. ^'KL(k,l)|V(k,l))(V(k,l)|. (4.25) 

k,lGF2 

The EDP is a protocol to distill the mixed entangled state p®'^^ into the 
maximally entangled state by using the local operation and the clas- 

sical communication |BDSW96] . 

Vollbrecht and Vestraete proposed the following EDP |VV05j . where it 



■^The post processing presented in this section is a modified version of the postprocessing 
presented in |MFD+06l IWMU06| so that it fit into the notations in this thesis. 



*Renner et al. suggested that there exist no EDP which corresponds to the noisy 
preprocessing (see Remark 1 3. 4. 6 |l proposed by themselves. 

^There is an entanglement distillation protocol that works for bipartite states that are 
not necessarily Bell diagonal states [DW05] . However, we only consider EDPs for the Bell 
diagonal states. 
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is slightly modified (essentially the same) from the original version because 
we want to clarify the relation among this EDP, the corresponding postpro- 
cessing, and the postprocessing shown in Section [4.4[ 

(i) Alice and Bob divide 2n pairs of the bipartite systems into n blocks of 
length 2, and locally carry out the controlled-NOT (CNOT) operation 
on each block, where the 2zth pair is the source and the {2i — l)th 
pair is the target. 

(ii) Then, Alice and Bob undertake the breeding protocol [BBP"'"96] to 
guess bit-flip errors in the (2i — l)th pair for all i. The guessed bit-flip 
errors can be described by a sequence wi (Note that two-way classical 
communication is used in this step). 

(iii) According to wi, Alice and Bob classify indices of blocks into two sets 
To := {i ■ Wi = 0} and Ti := {i : Wi = 1}. 

(iv) For a collection of 2ith pairs such that i gTq, Alice and Bob conduct 
the breeding protocol to correct bit-flip errors. 

(v) For a collection of 2zth pairs such that i £Ti, Alice and Bob perform 
measurements in the z-basis, and obtain measurement results X2,Ti 
and y2,Ti respectively. 

(vi) Alice sends X2,Ti to Bob. 

(vii) Alice and Bob correct the phase errors for the remaining pairs by using 
information Tq, Ti, and the bit-flip error X2^Ti + y2,Ti- 

The yield of this EDP is given by 



We can find by the concavity of the binary entropy function that the first 
argument in the maximum of the r.h.s. of Eq. (I4.19P is larger than the value 




(4.26) 



in Eq. Km . 



4.7. Summary 
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If we convert this EDP into a postprocessing of the QKD protocols, 
the difference between that postprocessing and ours is as follows. In the 
postprocessing converted from the EDP |VV05] . after Step (jiv|), Alice reveals 
the sequence, X2-j-^, which consists of the second bit, Xi2, of the ith block 
such that the parity of discrepancies wn is 1. However, Alice discards X2 -j-^ 
in the proposed IR protocol of Section 14. 3i Since sequence X2 -j-^ has some 
correlation to sequence ui from the view point of Eve, Alice should not 
reveal -j-^ to achieve a higher key generation rate. 

In the EDP context, on the other hand, since the bit flip error, Xg -j-^ + 
y2 , has some correlation to the phase flip errors in the (2i — l)-th pair with 
i G Ti, Alice should send the measurement results, j^, to Bob. If Alice 
discards measurement results X2 -j-^ without telling Bob what the result is, 
then the yield of the resulting EDP is worse than Eq. (|4.26|) . Consequently, 
there seems to be no correspondence between the EDP and our proposed 
classical processing. 

4.7 Summary 

The results in this chapter is summarized as follows: In Section 14. 2^ we 
reviewed the advantage distillation. In Section 14.31 we proposed the two- 
way IR procedure. In Section 14.41 we derived a sufficient condition on the 
key generation rate such that a secure key agreement is possible with our 
proposed postprocessing (Theorem 14. 4. ip . We also derived the asymptotick 
key generation rate formulae. 

In Section 14.51 we investigated the asymptotic key generation rate of our 
proposed postprocessing. Especially in Section 14.5. H we derived a closed 
form of the asymptotic key generation rate for the Pauli channel (Theorem 
I4.5.3|) . which clarifies that the asymptotic key generation rate of our pro- 
posed postprocessing is at least as high as the asymptotic key generation 
rate of the standard postprocessing. We also numerically clarified that the 
asymptotic key generation rate of our proposed postprocessing is higher 
than the asymptotic key generation rate of any other postprocessing for the 
Pauli channel (Section I4.5.ip . the unital channel (Section I4.5.2p . and the 
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amplitude damping channel (Section I4.5.3P respectively. 

Finally in Section 14.61 we clarified the relation between our proposed 
postprocessing and the EDP proposed by Vollbrecht and Vestraete |VV05] . 



Chapter 5 

Conclusion 



In this thesis, we investigated the channel estimation phase and the post- 
processing phase of the QKD protocols. The contribution of this thesis is 
summarized as follows. 

For the channel estimation phase, we proposed a new channel estima- 
tion procedure in which we use the mismatched measurement outcomes in 
addition to the samples from the matched measurement outcomes. We clar- 
ified that the key generation rate decided according to our proposed channel 
estimation procedure is at least as high as the key generation rate decided 
according to the conventional channel estimation procedure. We also clar- 
ified that the former is strictly higher than the latter for the amplitude 
damping channel and the unital channel. 

For the postprocessing phase, we proposed a new kind of postprocess- 
ing procedure with two-way public communication. For the Pauli channel, 
we clarified that the key generation rate of the QKD protocols with our 
proposed postprocessing is higher than the key generation rate of the QKD 
protocols with the standard one-way postprocessing. For the Pauli chan- 
nel, the amplitude damping channel, and the unital channel, we numerically 
clarified that the QKD protocols with our proposed postprocessing is higher 
than the key generation rate of the QKD protocols with any other postpro- 
cessing. 

There are some problems that should be investigated in a future. 



Ill 
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• To show the necessary and sufficient condition on the channel for that 

the (asymptotic) key generation rate decided according our proposed 
channel estimation procedure is strictly higher than that decided ac- 
cording to the conventional channel estimation procedure for the six- 
state protocol. 

• To analytically show that the (asymptotic) key generation rate of our 
proposed two-way postprocessing is at least as high as that of the 
standard one-way postprocessing, or to find a counter example. 



Appendix A 

Notations 



Notations first appeared in Chapter [2] 



PX,PXY 

v{n) 
v'{n) 

P,PAB 

H{X) 
H{Px) 

h{.) 

H{X\Y) 
I{X-Y) 
H{p) 



the set of all probability distributions on the set X 
probability distributions 
the type of the sequence x 

the set of all density operators on the quantum sys- 
tem TL 

the set of all non-negative operators on 7i 
density operators 

the trace distance (variational distance) 
the fidelity 

the entropy of the random variable X 
the entropy of the random variable with the distri- 
bution Px 

the binary entropy function 

the (Shannon) conditional entropy of X given Y 

the mutual information between X and Y 

the von Neumann entropy of the system whose 

state is p 
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Hp{A\B) 
Ip{A;B) 

0"x, CTy, (Tz 

IV') 

{R,t) 

Hram{PAB\(^B) 
HraaxiPABWB) 
HLiniPAB\B) 

H^a.APAB\B) 

B^ip) 

d{pAB\B) 



the conditional von Neumann entropy of the system 
A conditioned by the system B 
the quantum mutual information between the sys- 
tems A and B 
the Pauli operators 

the maximally entangled state defined in Eq. (12. 6p 

the set of all Choi operators 

the Stokes parameterization of the channel 

the min-entropy of pAB relative to 0"^ 

the max-entropy of pab relative to fj^ 

the e-smooth min-entropy of pab given the system 

B 

the e-smooth max-entropy of pab given the system 
B 

the set of all operators p € V'iTL) such that ||/0 — 
P\\ < T^W 

the distance from the uniform (see Definition 
[2XTT]) 



Notations first appeared in Chapter [3] 



|Oa),|l. 
PXYE 

M 
t 

PXY 

Pw 



the eigenstates of the Pauli operator cja 
the {ccg}-state describing Alice and Bob's bit se- 
quences (X, Y) and the state in Eve's system 
the parity check matrix 
the syndrome 

the probability distribution of Alice and Bob's bits 
the probability distribution of the discrepancy be- 
tween Alice and Bos's bits 

the components {Rzz, Rzx, Rxz, Rxx,tz,tx) of the 
Stokes parameterization 
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7 



r 

V 



T 



the components {Rzy, Rxy, Ryz, Ryx, Ryy,ty) of the 
Stokes parameterization 
the range of uj 

the set of all Choi operator for a fixed uj 
the components {Rzz, Rxx, Ryy) of the Stokes pa- 
rameterization 

the components {Rzx,Rzy,Rxz,Rxy,Ryz,Ryx,tz,tx,ty) 

of the Stokes parameterization 
the range of 7 

the set of all Choi operator for a fixed 7 
the components {Rzz, Rxx) of the Stokes parameter- 
ization 

the components {Rzx,Rzy,Rxz,Rxy,Ryz,Ryx,Ryy,tz,tx,ty) 

of the Stokes parameterization 
the range of v 

the set of all Choi operators for a fixed v 



Notations first appeared in Chapter [4] 



C 

XA,XB 

Ca 
Cb 
Ui 



-> F2 such that ^(01,02) = 
F2 such that C(O)O) = a and 



the function ^ : F2 

ai + 02 

the function : F2 — 
C(a,l) = 

arbitrary functions from F^ to F2 
the function F^ F2 such that Cyl('^i; ^^2; 0^3) = 0,1 
for xa{0'2i0'3) = and CA(ai;«2>«3) = for else 
the function F2 F2 such that Csio-i, 02, as) = ai 
for XBia2,0'3) = and C-b(q^I) 0^2, 03) = for else 
the random variable defined as Ui = ^{Xi,X2) 
the random variable defined as Vi = ^{Yi, Y2) 
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the random variable defined as Wi = Ui + Vi 
the random variable defined as U2 = C(^2)W^i) or 
the random variable defined as U2 = Ca{^2, Ui,Vi) 
the random variable defined as V2 = C(^2 5W^i or 
the random variable defined as V2 = (b{^2, f^ij ^1) 
Bell states 

the distribution such that the Bell diagonal com- 
ponents of a Bell diagonal state 
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Thesis 

Articles in Journals 

• S. Watanabe, R. Matsumoto, T. Uyematsu, and Y. Kawano, "Key 
rate of quantum key distribution with hashed two-way classical com- 
munication," Phys. Rev. A, vol. 76, no. 3,pp. 032312-1-7, Sep. 2007. 

• S. Watanabe, R. Matsumoto, and T. Uyematsu, "Tomography in- 
creases key rate of quantum-kcy-distribution protocols," Phys. Rev. A, 
vol. 78, no. 4, pp. 042316-1-11, Oct. 2008. 

Peer- Reviewed Articles in International Conferences 

• S. Watanabe, R. Matsumoto, and T. Uyematsu, "Security of quan- 
tum key distribution protocol with two-way classical communication 
assisted by one-time pad encryption," in Proc. Asian Conference on 
Qauntum Information Science 2006, Beijing, China, September 2006. 

• S. Watanabe, R. Matsumoto, T. Uyematsu, and Y. Kawano, "Key 
rate of quantum key distribution with hashed two-way classical com- 
munication," in Proc. 2007 IEEE Int. Symp. Inform. Theory, Nice, 
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• S. Watanabe, R. Matsumoto, T. Uyematsu, and Y. Kawano, "Key 
rate of quantum key distribution with hashed two-way classical com- 
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• S. Watanabe, R. Matsumoto, and T. Uyematsu, "Tomography in- 
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at recent result session in 2008 IEEE Int. Symp. Inform. Theory, 
Toronto, Canada, July, 2008. 

• S. Watanabe, R. Matsumoto, and T. Uyematsu, "Tomography in- 
creases key rate of quantum-key-distribution protocols," in Proc. SITA 
2008, Kinugawa, Japan, Oct., 2008. 

• S. Watanabe, R. Matsumoto, and T. Uyematsu, "Tomography in- 
creases key rate of quantum-key-distribution protocols," presented 
at GSIS Workshop on Quantum Information Theory, Sendai, Japan, 
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